Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z8yxMFhhZI.msi

Overview

General Information

Sample name:z8yxMFhhZI.msi
renamed because original name is a hash value
Original sample name:c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
Analysis ID:1552153
MD5:ca547b71f62c449c8e365701212469d9
SHA1:43d9688cb60427723cf098896d762b010487bbee
SHA256:c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621
Tags:msisigneduser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 1020 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z8yxMFhhZI.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6064 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2992 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0665D20C0C89E79051AAD52EC447123B MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 2484 cmdline: rundll32.exe "C:\Windows\Installer\MSID54C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5297578 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 2676 cmdline: rundll32.exe "C:\Windows\Installer\MSID81C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5298234 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6876 cmdline: rundll32.exe "C:\Windows\Installer\MSIEAF9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5303046 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7412 cmdline: rundll32.exe "C:\Windows\Installer\MSICED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5311734 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6016 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 2172 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 2828 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 5744 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="marisol.condimentos@hotmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="a6dedb0f-2022-4aea-abf1-f34b9f20892e" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 6480 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F8E5523720913A12EDC79533245EA2A0 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • _isB2BB.exe (PID: 7736 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59A2717C-22F7-4A43-A7C1-00D51E25C2A7} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 3520 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C9DF522-E68D-4E9E-888D-42C716E8ED46} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 7804 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93B32141-75DD-468F-91FD-A34B20052481} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 7852 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02BC1A4E-DCC8-4D67-9DD0-6286586A3FE7} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 7900 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97507E97-1CE2-42FF-A992-32B34D8B9AF8} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 8048 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{937EEFBD-E420-4210-82B0-5A755D4DC99D} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 7936 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{096088E7-31E4-460F-A477-AA5FD56C0C67} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 7864 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C08DB0C-2CD4-44D8-B8C1-2ED1CF4D0265} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 1528 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F24D5FAD-F814-47DB-BA4C-8D4C9227B143} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isB2BB.exe (PID: 4192 cmdline: C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42674A53-EFF1-4628-AC3D-41E80A5C40CB} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • cmd.exe (PID: 772 cmdline: C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7196 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7312 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7768 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7884 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ND5FxIAL MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 8088 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ND5FxIAL MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1832 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7336 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
          • Conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSTRemote.exe (PID: 6036 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000ND5FxIAL MD5: 749C51599FBF82422791E0DF1C1E841C)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SplashtopStreamer.exe (PID: 6732 cmdline: "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1 MD5: 6AAE99153C786353C750BF8F5C9779B1)
        • PreVerCheck.exe (PID: 7592 cmdline: "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1 MD5: A7CE785B6CD1C9657040CA9B6CBEED10)
          • msiexec.exe (PID: 7616 cmdline: msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • AgentPackageMonitoring.exe (PID: 6688 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ND5FxIAL MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7940 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 8020 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 5548 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 2992 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • Conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF5AA26B837347CAF4.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF313360291D7C6B76.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 99 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000018.00000002.2731087701.00000148AEF36000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000020.00000002.2670881408.000001EDE2350000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000018.00000002.2683179432.0000014895B2C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000000C.00000002.1851255413.000001DF0ABD0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000018.00000002.2692056998.00000148964FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 203 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      12.0.AteraAgent.exe.1df0a9f0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        24.2.AteraAgent.exe.14896d698a0.2.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          35.2.AgentPackageMonitoring.exe.1e369090000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            32.0.AgentPackageSTRemote.exe.1ede1f00000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              24.2.AteraAgent.exe.14896b4b638.0.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 5 entries

                                Sigma Signatures

                                Sigma detected: Conhost Spawned By Uncommon Parent Process
                                Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\Conhost.exe, NewProcessName: C:\Windows\System32\Conhost.exe, OriginalFileName: C:\Windows\System32\Conhost.exe, ParentCommandLine: C:\Windows\System32\svchost.exe -k smphost, ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 2992, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 2676, ProcessName: Conhost.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: SRCredentialProvider, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 6480, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{97E1814E-5601-41c8-9971-10C319EF61CC}\(Default)
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1832, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7336, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6016, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 2172, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6016, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 2172, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 2992, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 50d410.rbf (copy)ReversingLabs: Detection: 20%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 20%
                                Multi AV Scanner detection for submitted file
                                Source: z8yxMFhhZI.msiReversingLabs: Detection: 26%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.0% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1724BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,35_2_00007FFDF1724BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1724DE0 CryptReleaseContext,35_2_00007FFDF1724DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1724E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,35_2_00007FFDF1724E20
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI406.tmp.1.dr
                                Source: Binary string: System.Threading.Tasks.Dataflow.ni.pdb source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2180486660.000001E369AF2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileSystemGlobbing/Release/net6.0/Microsoft.Extensions.FileSystemGlobbing.pdb source: Microsoft.Extensions.FileSystemGlobbing.dll.24.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll1.24.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdb source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.24.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.24.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2177273190.000001E3690F2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0-windows/System.Diagnostics.EventLog.pdbSHA256 source: System.Diagnostics.EventLog.dll.24.dr
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: System.Diagnostics.Process.dll.24.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\nup\objfre_win7_x86\i386\xdnup.pdb source: xdnup.dll.1.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdbH source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\net6.0-Release\System.Data.Common.pdb source: System.Data.Common.dll.1.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
                                Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2398959302.000002BBE95A2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2398959302.000002BBE95A2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Dataflow\net6.0-Release\System.Threading.Tasks.Dataflow.pdb source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: System.Diagnostics.Process.dll.24.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2180832610.000001E369BA2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2180486660.000001E369AF2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000025.00000000.2183490245.000000000042E000.00000002.00000001.01000000.00000023.sdmp, SplashtopStreamer.exe, 00000025.00000002.2600898671.000000000042E000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000027.00000000.2233740300.00000000009A3000.00000002.00000001.01000000.00000026.sdmp, PreVerCheck.exe, 00000027.00000002.2577489806.00000000009A3000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\nup\objfre_win7_x86\i386\xdnup.pdbh source: xdnup.dll.1.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: z8yxMFhhZI.msi
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0-windows/System.Diagnostics.EventLog.pdb source: System.Diagnostics.EventLog.dll.24.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2177273190.000001E3690F2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: _isB2BB.exe, 0000002A.00000002.2303086933.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002A.00000000.2297760525.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002B.00000000.2298641530.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002B.00000002.2302332461.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002C.00000000.2299455318.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002C.00000002.2304448266.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002D.00000002.2303511867.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002D.00000000.2301125344.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002E.00000002.2306176759.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002E.00000000.2302332958.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002F.00000000.2304448637.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002F.00000002.2334765018.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000030.00000002.2309764890.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000030.00000000.2305391417.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000031.00000000.2306334387.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000031.00000002.2308962544.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000032.00000002.2311054746.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000032.00000000.2307549447.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000033.00000000.2308961588.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000033.00000002.2312419003.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/net6.0-Release/System.Private.DataContractSerialization.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb source: PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb{ source: PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\net6.0-windows-Release\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1855945376.000001DF24F82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1855945376.000001DF24F82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: z8yxMFhhZI.msi, MSID54C.tmp.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Dataflow\net6.0-Release\System.Threading.Tasks.Dataflow.pdbRSDS source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.24.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_x86\i386\DIFxCmd.pdb source: DIFxCmd.exe.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileSystemGlobbing/Release/net6.0/Microsoft.Extensions.FileSystemGlobbing.pdbSHA256 source: Microsoft.Extensions.FileSystemGlobbing.dll.24.dr
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341A44h12_2_00007FFD9B34187E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341FFFh12_2_00007FFD9B34187E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341FFFh12_2_00007FFD9B341EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341FFFh12_2_00007FFD9B341E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341FFFh12_2_00007FFD9B341E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B341873h12_2_00007FFD9B340C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B34227Bh12_2_00007FFD9B340C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B364ECBh13_2_00007FFD9B364C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B361873h13_2_00007FFD9B360C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B36227Bh13_2_00007FFD9B360C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B37B972h13_2_00007FFD9B37B5E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B37B972h13_2_00007FFD9B37B620
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B364ECBh13_2_00007FFD9B364E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B334ECBh24_2_00007FFD9B334E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B552C70h24_2_00007FFD9B552A90

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Enables network access during safeboot for specific services
                                Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created: NULL Service
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.224d2070000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, type: DROPPED
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.7/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.9/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/20.1/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.0/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.000001489675C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/27.6/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E6E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1771227691.00000000046E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2C5F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148969DC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80250000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E30057E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000002.1771227691.00000000046E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2C5F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80250000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E30057E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.d
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.dig
                                Source: AteraAgent.exe, 0000000D.00000002.2348840998.000002BBCFD98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D11000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896BE7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2034231651.00000224EB28A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AECB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: xdnup.dll.1.dr, stdpms.cat.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digice
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Dig
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25196000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlM
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlpeYe
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHAA
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: System.Diagnostics.DiagnosticSource.dll1.24.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/G
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Im
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlocalLow
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.come
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTruGm
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25196000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D11000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896BE7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl9YOd
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlbc
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crleeBe
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/c
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl#_Dd
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD05F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enP
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2049207030.0000017BC9259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.cofw8
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: rundll32.exe, 00000010.00000002.1904488118.00000000076F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocs.pt
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice0N
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.c
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.cBo
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF25170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24EF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2034231651.00000224EB28A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AECB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AEF66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlV
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                                Source: xdnup.dll.1.dr, stdpms.cat.1.drString found in binary or memory: http://ocsp.thawte.com0
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: xdnup.dll.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: xdnup.dll.1.drString found in binary or memory: http://s2.symcb.com0
                                Source: AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.GenericJ
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
                                Source: AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: xdnup.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                                Source: xdnup.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: xdnup.dll.1.drString found in binary or memory: http://sv.symcd.com0&
                                Source: xdnup.dll.1.dr, stdpms.cat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: xdnup.dll.1.dr, stdpms.cat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: xdnup.dll.1.dr, stdpms.cat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2178916823.000001E3699A2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000D.00000002.2398127205.000002BBE934E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                                Source: AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D11000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1856509849.000001DF251A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE9321000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                                Source: rundll32.exe, 00000010.00000002.1904488118.00000000076F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nlog-project.org/schemas/NLog.xsd
                                Source: xdnup.dll.1.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: xdnup.dll.1.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/A
                                Source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.p
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2179127584.000001E369AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/a6dedb0f-2022-4aea-abf1-f34b9f20892e
                                Source: rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1771227691.0000000004706000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comR
                                Source: System.Diagnostics.EventLog.dll.24.drString found in binary or memory: https://aka.ms/binaryformatter
                                Source: System.Diagnostics.EventLog.dll.24.drString found in binary or memory: https://aka.ms/dotnet-warnings/
                                Source: System.Diagnostics.EventLog.dll.24.drString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
                                Source: xdnup.dll.1.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: xdnup.dll.1.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B01000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.3.exe
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Private.DataContractSerialization.dll.1.dr, Microsoft.CSharp.dll.1.dr, Microsoft.Extensions.FileSystemGlobbing.dll.24.dr, System.Diagnostics.EventLog.dll.24.dr, System.Threading.Tasks.Dataflow.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: System.Threading.Tasks.Dataflow.dll.1.drString found in binary or memory: https://github.com/dotnet/runtimew
                                Source: AteraAgent.exe, 0000000D.00000002.2398959302.000002BBE95A2000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: System.Data.Common.dll.1.drString found in binary or memory: https://github.com/mono/linker/issues/1187
                                Source: Microsoft.CSharp.dll.1.drString found in binary or memory: https://github.com/mono/linker/issues/1416.
                                Source: Microsoft.CSharp.dll.1.drString found in binary or memory: https://github.com/mono/linker/issues/1906.
                                Source: System.Data.Common.dll.1.drString found in binary or memory: https://github.com/mono/linker/issues/1981
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Configuration-file#variables
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Layout-Renderers
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Targets
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/nlog/wiki/Configuration-file
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183096187.000001E369CF8000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHrH
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAR
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD08BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0838000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD096C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0838000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip?lE1JX9
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?lE1JX9mqJo
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0838000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.9/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?lE1JX9
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?lE1J
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?lE1JX
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.1/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.1/AgentPackageOsUpdates.zip?lE1JX9m
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.0/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?lE1JX9mqJ
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.000001489675C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zip?lE1
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip?l
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD096C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0838000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.comR
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B3F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B3F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1f7cd882-99b9-4edc-8358-a44cbac962fe
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=246bfa70-210d-46d7-81aa-ffbb467012bf
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=54d33d34-c90c-4ede-831e-f1f741c1dedc
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=74aefc3d-4ad8-443f-9a76-02e92e94cf67
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7514622b-7504-4e73-83c1-cb213deb3a6a
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c02a4023-6baa-4600-8d1c-cde6a0bc9950
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fdf9888c-209c-49ee-a038-02e568237b90
                                Source: AteraAgent.exe, 00000018.00000002.2692056998.00000148967A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/a6dedb0f
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/a6dedb0f-2022-4aea-abf1
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.comR
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2186220569.000001E369E24000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msiString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183096187.000001E369CF8000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp, libssl-3.dll.1.drString found in binary or memory: https://www.openssl.org/H
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2239122661.00007FFDF18B4000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d404.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID54C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEAF9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED2C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED5C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDAB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0E8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d406.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d406.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICED.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d407.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD74.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE31.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB18D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC6CB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICAD4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d40a.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d40a.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF43.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI406.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1954.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E66.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI232A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d40c.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2687.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI44DF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI47FD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4AFC.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B7A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI624E.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI625F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62ED.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI634B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d418.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d418.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68CB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d419.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7DF9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7F14.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d41c.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d41c.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C80.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d41d.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DAA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E91F8AC1-4917-455E-AACA-B40B193C7A62}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E09.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d420.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d420.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9EC5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d421.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA02D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA07D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d424.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\50d424.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA262.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRCF3E9.tmp
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRCF3E9.tmp
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID54C.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06A800404_3_06A80040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070E59A85_3_070E59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070E50B85_3_070E50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070E4D685_3_070E4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B34C92212_2_00007FFD9B34C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B34BB7612_2_00007FFD9B34BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B340C1D12_2_00007FFD9B340C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B360C5813_2_00007FFD9B360C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B37C91013_2_00007FFD9B37C910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B38602013_2_00007FFD9B386020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B371CF013_2_00007FFD9B371CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B369AF213_2_00007FFD9B369AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B37900E13_2_00007FFD9B37900E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B37CF5813_2_00007FFD9B37CF58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B571FDB13_2_00007FFD9B571FDB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B57FE9113_2_00007FFD9B57FE91
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5858B813_2_00007FFD9B5858B8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B57E48D13_2_00007FFD9B57E48D
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0716767816_3_07167678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0716004016_3_07160040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B35FA9420_2_00007FFD9B35FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3578D620_2_00007FFD9B3578D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B36108C20_2_00007FFD9B36108C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B35182820_2_00007FFD9B351828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B35868220_2_00007FFD9B358682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B37047D20_2_00007FFD9B37047D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3512FA20_2_00007FFD9B3512FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3610C020_2_00007FFD9B3610C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B35BDB020_2_00007FFD9B35BDB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B35182822_2_00007FFD9B351828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3512FA22_2_00007FFD9B3512FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B33D3E824_2_00007FFD9B33D3E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B341D7824_2_00007FFD9B341D78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B341D1024_2_00007FFD9B341D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B549C2D24_2_00007FFD9B549C2D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B5568B024_2_00007FFD9B5568B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B54AD4824_2_00007FFD9B54AD48
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B35895627_2_00007FFD9B358956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B36D35027_2_00007FFD9B36D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B3512FA27_2_00007FFD9B3512FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B3766B027_2_00007FFD9B3766B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B35970227_2_00007FFD9B359702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B35C47F27_2_00007FFD9B35C47F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B365B3127_2_00007FFD9B365B31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B35073027_2_00007FFD9B350730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3352FA32_2_00007FFD9B3352FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3419B032_2_00007FFD9B3419B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B336F5932_2_00007FFD9B336F59
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3315FD32_2_00007FFD9B3315FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B33847632_2_00007FFD9B338476
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3213F332_2_00007FFD9B3213F3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B341AA832_2_00007FFD9B341AA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B341A7832_2_00007FFD9B341A78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B341A8032_2_00007FFD9B341A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3212DF32_2_00007FFD9B3212DF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B33F1D332_2_00007FFD9B33F1D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3211F232_2_00007FFD9B3211F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B33F0C232_2_00007FFD9B33F0C2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3208D332_2_00007FFD9B3208D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B32108032_2_00007FFD9B321080
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B33F12032_2_00007FFD9B33F120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B32083832_2_00007FFD9B320838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B320ED332_2_00007FFD9B320ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B3206D332_2_00007FFD9B3206D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFD9B32074032_2_00007FFD9B320740
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF179B88035_2_00007FFDF179B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF18501E035_2_00007FFDF18501E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF18420E035_2_00007FFDF18420E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF184696035_2_00007FFDF1846960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF182320035_2_00007FFDF1823200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF178F22035_2_00007FFDF178F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17A917035_2_00007FFDF17A9170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17111B035_2_00007FFDF17111B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF177F1B035_2_00007FFDF177F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF18450F035_2_00007FFDF18450F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17EF3E035_2_00007FFDF17EF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AB37035_2_00007FFDF17AB370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17393D035_2_00007FFDF17393D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171F34035_2_00007FFDF171F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AD35035_2_00007FFDF17AD350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171D28435_2_00007FFDF171D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175F63035_2_00007FFDF175F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171D63435_2_00007FFDF171D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF172564035_2_00007FFDF1725640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF177B64735_2_00007FFDF177B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171955C35_2_00007FFDF171955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171347435_2_00007FFDF1713474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17174B035_2_00007FFDF17174B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF172D83035_2_00007FFDF172D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF186184035_2_00007FFDF1861840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175D77035_2_00007FFDF175D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF176F78035_2_00007FFDF176F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF185F79035_2_00007FFDF185F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17836E035_2_00007FFDF17836E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B772035_2_00007FFDF17B7720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B169035_2_00007FFDF17B1690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF18056D035_2_00007FFDF18056D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF177B9F035_2_00007FFDF177B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF173D91035_2_00007FFDF173D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17718DA35_2_00007FFDF17718DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF173BBE035_2_00007FFDF173BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1853C2035_2_00007FFDF1853C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17FDB8035_2_00007FFDF17FDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1759BA035_2_00007FFDF1759BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B3AF035_2_00007FFDF17B3AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1777B3035_2_00007FFDF1777B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1749A6035_2_00007FFDF1749A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17C7A6035_2_00007FFDF17C7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1745AD035_2_00007FFDF1745AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1743E1035_2_00007FFDF1743E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1725E5035_2_00007FFDF1725E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1759CF035_2_00007FFDF1759CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17E7D2035_2_00007FFDF17E7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17EDCC035_2_00007FFDF17EDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17FBCD035_2_00007FFDF17FBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF176FEF035_2_00007FFDF176FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17A5F2035_2_00007FFDF17A5F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1727F3035_2_00007FFDF1727F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1749F3035_2_00007FFDF1749F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1757E7035_2_00007FFDF1757E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17C5EA035_2_00007FFDF17C5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B7EA035_2_00007FFDF17B7EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1793EB035_2_00007FFDF1793EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1717EC035_2_00007FFDF1717EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AFED035_2_00007FFDF17AFED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17CC22035_2_00007FFDF17CC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF178224035_2_00007FFDF1782240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF179C11035_2_00007FFDF179C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B40A035_2_00007FFDF17B40A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AA0C035_2_00007FFDF17AA0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17BA2F035_2_00007FFDF17BA2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF173231035_2_00007FFDF1732310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17D831035_2_00007FFDF17D8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF173033035_2_00007FFDF1730330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17B22B035_2_00007FFDF17B22B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF179060035_2_00007FFDF1790600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17F659035_2_00007FFDF17F6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17CE59035_2_00007FFDF17CE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF184E5B035_2_00007FFDF184E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF18305D035_2_00007FFDF18305D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17185D435_2_00007FFDF17185D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17CA5D035_2_00007FFDF17CA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF176051035_2_00007FFDF1760510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171A52435_2_00007FFDF171A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF179455035_2_00007FFDF1794550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17764A035_2_00007FFDF17764A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17244DC35_2_00007FFDF17244DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AA7E035_2_00007FFDF17AA7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171E80C35_2_00007FFDF171E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF172E72035_2_00007FFDF172E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF172273835_2_00007FFDF1722738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF184C68035_2_00007FFDF184C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1718A3C35_2_00007FFDF1718A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF176E99035_2_00007FFDF176E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF180691035_2_00007FFDF1806910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF172886035_2_00007FFDF1728860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17D686035_2_00007FFDF17D6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17688A035_2_00007FFDF17688A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17128C035_2_00007FFDF17128C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17BCC0035_2_00007FFDF17BCC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1768B9035_2_00007FFDF1768B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17FAB0035_2_00007FFDF17FAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF178CB5035_2_00007FFDF178CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1758A6035_2_00007FFDF1758A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17DAA7035_2_00007FFDF17DAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1736A8035_2_00007FFDF1736A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1770E3035_2_00007FFDF1770E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF184CD6035_2_00007FFDF184CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1714DB435_2_00007FFDF1714DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1784D0035_2_00007FFDF1784D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1860D3035_2_00007FFDF1860D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1796D2035_2_00007FFDF1796D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17D8D2035_2_00007FFDF17D8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1844C8035_2_00007FFDF1844C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1726CC035_2_00007FFDF1726CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175ACD035_2_00007FFDF175ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175902035_2_00007FFDF1759020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1722F8C35_2_00007FFDF1722F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175AFB035_2_00007FFDF175AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17AEFD035_2_00007FFDF17AEFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF173CE7035_2_00007FFDF173CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171CEA835_2_00007FFDF171CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B33BD6135_2_00007FFD9B33BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B335D0F35_2_00007FFD9B335D0F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B33D12635_2_00007FFD9B33D126
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5531C635_2_00007FFD9B5531C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B552AEB35_2_00007FFD9B552AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B55EFA835_2_00007FFD9B55EFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B65485235_2_00007FFD9B654852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B664D1735_2_00007FFD9B664D17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B660CB035_2_00007FFD9B660CB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B65950535_2_00007FFD9B659505
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B72F44435_2_00007FFD9B72F444
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B72F37835_2_00007FFD9B72F378
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B720A9735_2_00007FFD9B720A97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B724EA835_2_00007FFD9B724EA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7331F035_2_00007FFD9B7331F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8DBB1D35_2_00007FFD9B8DBB1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8D3D6535_2_00007FFD9B8D3D65
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8C04E835_2_00007FFD9B8C04E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8C78B135_2_00007FFD9B8C78B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8D3EF035_2_00007FFD9B8D3EF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B8CCD9035_2_00007FFD9B8CCD90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B663C7135_2_00007FFD9B663C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF18606B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1861D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1861B70 appears 102 times
                                Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Private.Xml.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Reflection.Metadata.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Threading.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-time-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Reflection.TypeExtensions.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Private.DataContractSerialization.dll.1.drStatic PE information: No import functions for PE file found
                                Source: Microsoft.CSharp.dll.1.drStatic PE information: No import functions for PE file found
                                Source: z8yxMFhhZI.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs z8yxMFhhZI.msi
                                Source: z8yxMFhhZI.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs z8yxMFhhZI.msi
                                Source: z8yxMFhhZI.msiBinary or memory string: OriginalFilenamewixca.dll\ vs z8yxMFhhZI.msi
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@163/1172@0/8
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8032:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8108:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4900:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7776:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5312:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1640:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7324:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:180:120:WilError_03
                                Source: C:\Windows\Temp\SplashtopStreamer.exeMutant created: \BaseNamedObjects\Global\{47B9233E-7E50-46F2-B442-6A53F0D0F508}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7896:120:WilError_03
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5AA26B837347CAF4.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID54C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5297578 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3005AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: MSI406.tmp.1.drBinary or memory string: SELECT Feature_ FROM ISSetupTypeFeatures WHERE ISSetupType_ = '%s'SetupType.cppsysnativesyswow64SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs[Win32]SharedFiles.cpp;Page UpPage DownEndHomeLeftUpRightDownInsertNum *Num /Num +Num -
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2187907134.000001E36A9B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3005AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: z8yxMFhhZI.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: z8yxMFhhZI.msiReversingLabs: Detection: 26%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z8yxMFhhZI.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0665D20C0C89E79051AAD52EC447123B
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID54C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5297578 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID81C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5298234 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEAF9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5303046 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="marisol.condimentos@hotmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="a6dedb0f-2022-4aea-abf1-f34b9f20892e"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5311734 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F8E5523720913A12EDC79533245EA2A0 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59A2717C-22F7-4A43-A7C1-00D51E25C2A7}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C9DF522-E68D-4E9E-888D-42C716E8ED46}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93B32141-75DD-468F-91FD-A34B20052481}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02BC1A4E-DCC8-4D67-9DD0-6286586A3FE7}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97507E97-1CE2-42FF-A992-32B34D8B9AF8}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{937EEFBD-E420-4210-82B0-5A755D4DC99D}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{096088E7-31E4-460F-A477-AA5FD56C0C67}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C08DB0C-2CD4-44D8-B8C1-2ED1CF4D0265}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F24D5FAD-F814-47DB-BA4C-8D4C9227B143}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42674A53-EFF1-4628-AC3D-41E80A5C40CB}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0665D20C0C89E79051AAD52EC447123BJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="marisol.condimentos@hotmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="a6dedb0f-2022-4aea-abf1-f34b9f20892e"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F8E5523720913A12EDC79533245EA2A0 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID54C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5297578 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID81C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5298234 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEAF9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5303046 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5311734 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59A2717C-22F7-4A43-A7C1-00D51E25C2A7}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C9DF522-E68D-4E9E-888D-42C716E8ED46}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93B32141-75DD-468F-91FD-A34B20052481}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02BC1A4E-DCC8-4D67-9DD0-6286586A3FE7}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97507E97-1CE2-42FF-A992-32B34D8B9AF8}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{937EEFBD-E420-4210-82B0-5A755D4DC99D}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{096088E7-31E4-460F-A477-AA5FD56C0C67}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C08DB0C-2CD4-44D8-B8C1-2ED1CF4D0265}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F24D5FAD-F814-47DB-BA4C-8D4C9227B143}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42674A53-EFF1-4628-AC3D-41E80A5C40CB}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: wtsapi32.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: version.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: wldp.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: propsys.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: profapi.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: vaultcli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: wintypes.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: edputil.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: iertutil.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: netutils.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: srvcli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: urlmon.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: sspicli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: logoncli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: wkscli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: samcli.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: netapi32.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: textshaping.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: appresolver.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: bcp47langs.dll
                                Source: C:\Windows\Temp\SplashtopStreamer.exeSection loaded: slc.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                                Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.iniJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: z8yxMFhhZI.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI406.tmp.1.dr
                                Source: Binary string: System.Threading.Tasks.Dataflow.ni.pdb source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2180486660.000001E369AF2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileSystemGlobbing/Release/net6.0/Microsoft.Extensions.FileSystemGlobbing.pdb source: Microsoft.Extensions.FileSystemGlobbing.dll.24.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll1.24.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdb source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.24.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.24.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2177273190.000001E3690F2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0-windows/System.Diagnostics.EventLog.pdbSHA256 source: System.Diagnostics.EventLog.dll.24.dr
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: System.Diagnostics.Process.dll.24.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\nup\objfre_win7_x86\i386\xdnup.pdb source: xdnup.dll.1.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AteraAgent.exe, 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdbH source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\net6.0-Release\System.Data.Common.pdb source: System.Data.Common.dll.1.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
                                Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2398959302.000002BBE95A2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2398959302.000002BBE95A2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Dataflow\net6.0-Release\System.Threading.Tasks.Dataflow.pdb source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: System.Diagnostics.Process.dll.24.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2180832610.000001E369BA2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2180486660.000001E369AF2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000025.00000000.2183490245.000000000042E000.00000002.00000001.01000000.00000023.sdmp, SplashtopStreamer.exe, 00000025.00000002.2600898671.000000000042E000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000027.00000000.2233740300.00000000009A3000.00000002.00000001.01000000.00000026.sdmp, PreVerCheck.exe, 00000027.00000002.2577489806.00000000009A3000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\nup\objfre_win7_x86\i386\xdnup.pdbh source: xdnup.dll.1.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: z8yxMFhhZI.msi
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/Release/net6.0-windows/System.Diagnostics.EventLog.pdb source: System.Diagnostics.EventLog.dll.24.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2177273190.000001E3690F2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: _isB2BB.exe, 0000002A.00000002.2303086933.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002A.00000000.2297760525.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002B.00000000.2298641530.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002B.00000002.2302332461.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002C.00000000.2299455318.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002C.00000002.2304448266.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002D.00000002.2303511867.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002D.00000000.2301125344.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002E.00000002.2306176759.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002E.00000000.2302332958.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002F.00000000.2304448637.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 0000002F.00000002.2334765018.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000030.00000002.2309764890.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000030.00000000.2305391417.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000031.00000000.2306334387.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000031.00000002.2308962544.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000032.00000002.2311054746.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000032.00000000.2307549447.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000033.00000000.2308961588.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp, _isB2BB.exe, 00000033.00000002.2312419003.00007FF7F1467000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/net6.0-Release/System.Private.DataContractSerialization.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb source: PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2237345248.00007FFDF186A000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb{ source: PreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\net6.0-windows-Release\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1855945376.000001DF24F82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1855945376.000001DF24F82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: z8yxMFhhZI.msi, MSID54C.tmp.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Dataflow\net6.0-Release\System.Threading.Tasks.Dataflow.pdbRSDS source: System.Threading.Tasks.Dataflow.dll.1.dr
                                Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.24.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_x86\i386\DIFxCmd.pdb source: DIFxCmd.exe.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileSystemGlobbing/Release/net6.0/Microsoft.Extensions.FileSystemGlobbing.pdbSHA256 source: Microsoft.Extensions.FileSystemGlobbing.dll.24.dr
                                Source: System.Runtime.Serialization.dll.1.drStatic PE information: 0xE4E394AE [Sat Sep 8 19:59:42 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1721910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1721910
                                Source: System.IO.Compression.Native.dll.1.drStatic PE information: section name: _RDATA
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_069957B8 push es; ret 4_3_06995840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06994E90 push es; ret 4_3_06994EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_0699AEBF push es; retn 06A1h4_3_0699AEDC
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06995850 push es; ret 4_3_069958E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06A884A1 push es; ret 4_3_06A884B0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06A84ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_06A84ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B380A9A pushad ; ret 13_2_00007FFD9B380AA9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5758D3 push esp; retn 5F2Ah13_2_00007FFD9B5762D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B58431E push ecx; iretd 13_2_00007FFD9B58435C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B571EFC push eax; ret 13_2_00007FFD9B571F14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5709B1 push eax; ret 13_2_00007FFD9B5709D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5711E1 push eax; ret 13_2_00007FFD9B571204
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_07164ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_07164ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3500BD pushad ; iretd 20_2_00007FFD9B3500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B365587 push ebp; iretd 20_2_00007FFD9B3655D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3500BD pushad ; iretd 22_2_00007FFD9B3500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B33A64C push eax; retf 24_2_00007FFD9B33A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B33A650 push eax; retf 24_2_00007FFD9B33A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B3425F2 push eax; iretd 24_2_00007FFD9B342631
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B342DFA push FFFFFFE8h; retf 24_2_00007FFD9B342EF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B540F38 push eax; ret 24_2_00007FFD9B540F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B552485 push ds; ret 24_2_00007FFD9B55248F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B36D1B8 pushad ; iretd 27_2_00007FFD9B37AA45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B363A4D push ebx; retf 27_2_00007FFD9B363A6A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B36792B push ebx; retf 27_2_00007FFD9B36796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B36FFB8 push FFFFFFE8h; retf 27_2_00007FFD9B36FFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B36FEFA push FFFFFFE8h; retf 27_2_00007FFD9B36FFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B352D95 push eax; ret 27_2_00007FFD9B352E1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B368163 push ebx; ret 27_2_00007FFD9B36816A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B3500BD pushad ; iretd 27_2_00007FFD9B3500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B35F650 push eax; iretd 27_2_00007FFD9B35F65D

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Sample is not signed and drops a device driver
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB18D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICED.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d410.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID54C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62ED.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DAA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEAF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7DF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E66.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.AppContext.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA02D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4AFC.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d412.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d415.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9EC5.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Loader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C80.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0E8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC6CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE31.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1954.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d416.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\coreclr.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDAB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2687.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI47FD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Uri.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI232A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B7A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI406.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d414.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 50d413.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI625F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED5C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA262.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI634B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD74.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDAB.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEAF9.tmpJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2687.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB18D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED5C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI47FD.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\_is3F8.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0E8.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\System32\SRCF3E9.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI232A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA262.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICED.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA02D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC6CB.tmpJump to dropped file
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\Temp\unpack\PreVerCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7DF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B7A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4AFC.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE31.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9EC5.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1954.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID54C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI634B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\_isB0F3.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFE.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\ISRT.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\ISRT.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62ED.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\_is986.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DAA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI406.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\_isEEE7.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID54C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD74.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID81C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\ISRT.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICED.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI625F.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E66.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C80.tmpJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\libssl-3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRCredentialProvider.dll (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIEAF9.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00007FFDF171A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1DF0AD50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1DF24640000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BBD03B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BBE8650000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 224D22E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 224EAB30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 17BC9390000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 17BE1B90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 14895CC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 148AE490000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 14CEB010000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 14CEB200000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1EDE2250000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1EDFA980000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1E368AE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1E3691C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597967
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597857
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596977
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596107
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595958
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595839
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595623
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599066
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598817
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598457
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597920
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597809
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597491
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597242
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596992
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596778
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596115
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595743
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595633
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595159
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594777
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594670
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594210
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593948
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593606
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593389
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593270
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592903
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592686
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592575
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6512
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6415
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3070
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4684
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4389
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 7361
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 2229
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 598
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB18D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\ISRT.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICED.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID54C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7DF9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4AFC.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\system32\SRCredentialProvider.dll (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 50d412.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 50d415.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9EC5.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Loader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9C80.tmpJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAE31.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 50d416.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID81C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2687.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 50d413.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAF9.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIED5C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68CB.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAD74.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID81C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI62ED.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9DAA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\SRCF3E9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICED.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 5912Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1520Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7068Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7248Thread sleep count: 3219 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7248Thread sleep count: 6512 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7524Thread sleep time: -24903104499507879s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7524Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7552Thread sleep time: -210000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7664Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548Thread sleep time: -90000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7508Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7840Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7936Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep count: 6415 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep count: 3070 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 824Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 344Thread sleep time: -280000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2872Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3152Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7260Thread sleep count: 4684 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7260Thread sleep count: 4389 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -26747778906878833s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599434s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599327s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -599215s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598732s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598404s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -598076s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597967s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597857s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -596977s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -596873s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -596765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -596344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -596107s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595958s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595839s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595732s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595623s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1144Thread sleep time: -595078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7684Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8156Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep count: 38 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -35048813740048126s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7460Thread sleep count: 7361 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599639s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599516s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599405s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -599066s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7460Thread sleep count: 2229 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598937s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598817s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598457s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -598040s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597920s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597809s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597491s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597242s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -597121s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596992s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596778s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596668s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596451s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -596115s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595856s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595743s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595633s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595311s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -595159s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594777s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594670s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594544s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594210s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -594062s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593948s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593606s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593389s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593270s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -593016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592903s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592686s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592575s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7432Thread sleep time: -592250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7520Thread sleep count: 3214 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7536Thread sleep time: -10145709240540247s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7536Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4604Thread sleep count: 598 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7420Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5920Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\Temp\SplashtopStreamer.exe TID: 1184Thread sleep time: -33000s >= -30000s
                                Source: C:\Windows\SysWOW64\msiexec.exe TID: 1860Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597967
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597857
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596977
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596107
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595958
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595839
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595623
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599066
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598817
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598457
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597920
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597809
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597491
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597242
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596992
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596778
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596115
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595743
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595633
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595159
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594777
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594670
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594210
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593948
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593606
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593389
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593270
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592903
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592686
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592575
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: svchost.exe, 00000026.00000003.2242830722.000001B9AB0DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000026.00000002.2957027960.000001B9AB02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware"vc
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000026.00000002.2957134654.000001B9AB068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A.WS
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2307548451.0000014CEBBF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                                Source: svchost.exe, 00000026.00000002.2957527055.000001B9AB0A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24EF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24EC5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: svchost.exe, 00000026.00000002.2957715979.000001B9AB0D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: svchost.exe, 00000026.00000003.2242830722.000001B9AB0DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000026.00000002.2957527055.000001B9AB0A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176993792.000001E369092000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000026.00000002.2957084177.000001B9AB04B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2303791522.0000014CEBA4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2303006674.0000014CEBA3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedice"f
                                Source: svchost.exe, 00000026.00000002.2957715979.000001B9AB0D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219h
                                Source: rundll32.exe, 00000010.00000002.1901795001.0000000003006000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000026.00000002.2957715979.000001B9AB0B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AteraAgent.exe, 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
                                Source: svchost.exe, 00000026.00000002.2957084177.000001B9AB04B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2303791522.0000014CEBA4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: svchost.exe, 00000026.00000002.2957527055.000001B9AB0A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware2Virtual disk#
                                Source: svchost.exe, 00000026.00000002.2957134654.000001B9AB068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 @
                                Source: rundll32.exe, 00000004.00000002.1770285027.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2034231651.00000224EB1F0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2307548451.0000014CEBC27000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2694524998.000001EDFB1C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2179127584.000001E3699F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: svchost.exe, 00000026.00000002.2957527055.000001B9AB09C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176993792.000001E369092000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2306365898.0000014CEBACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown.
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped?
                                Source: AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000026.00000002.2957715979.000001B9AB0B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000026.00000003.2242830722.000001B9AB0DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1721910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1721910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDF175B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1721910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1721910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1717A84 GetProcessHeap,35_2_00007FFDF1717A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FFDF171ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="marisol.condimentos@hotmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="a6dedb0f-2022-4aea-abf1-f34b9f20892e"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ND5FxIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="marisol.condimentos@hotmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nd5fxial" /agentid="a6dedb0f-2022-4aea-abf1-f34b9f20892e"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000nd5fxial
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="marisol.condimentos@hotmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nd5fxial" /agentid="a6dedb0f-2022-4aea-abf1-f34b9f20892e"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000nd5fxial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000nd5fxial
                                Source: MSI406.tmp.1.drBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
                                Source: MSI406.tmp.1.drBinary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171739C cpuid 35_2_00007FFDF171739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID54C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID81C.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIEAF9.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICED.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICED.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF171CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,35_2_00007FFDF171CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF17185D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,35_2_00007FFDF17185D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.1df0a9f0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 24.2.AteraAgent.exe.14896d698a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.AgentPackageMonitoring.exe.1e369090000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 32.0.AgentPackageSTRemote.exe.1ede1f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 24.2.AteraAgent.exe.14896b4b638.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.2.AgentPackageAgentInformation.exe.224d2990000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.224d2070000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageMonitoring.exe.1e368840000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 24.2.AteraAgent.exe.14896c919d0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEF36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2670881408.000001EDE2350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2683179432.0000014895B2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1851255413.000001DF0ABD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148964FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2342617373.000000FA9D7A5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2298111257.0000014CEA957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D23BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C6CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.2061553933.000001C750690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2175629520.000001C750553000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1852691846.000001DF0AD20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2348840998.000002BBCFD4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2348840998.000002BBCFD10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC9190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148967A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2682789704.0000014895A20000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C80163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2175632565.000001E368AFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2175933613.000001C750670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2694524998.000001EDFB258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE2141000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1851255413.000001DF0ABDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE218D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2683179432.0000014895B55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2683179432.0000014895B0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2189180182.000001E36ABE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2694524998.000001EDFB227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C6F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2188031318.000001E36A9C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2354821548.000002BBCFFF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2034231651.00000224EB2AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148968E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2050414128.0000017BC9B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D2339000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2176993792.000001E369092000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2034231651.00000224EB1F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2175632565.000001E368B7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2159573235.000001E3005AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2033567521.00000224D2B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2346862466.000002BBCFC90000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD096C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2601365382.0000000000530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2050143889.0000017BC93F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEF20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE2100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1856509849.000001DF251EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2312017810.0000014CEBDD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.000001489691A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2176871582.000001E368D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2033567521.00000224D2BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2601466971.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2298111257.0000014CEA910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2348840998.000002BBCFD18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC91AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2306564317.0000014CEBAF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1856509849.000001DF2518E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C80093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C801BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1856370967.000001DF25160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D23C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C6F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2689322174.0000014895E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2671572796.000001EDE2B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2050414128.0000017BC9C13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2175632565.000001E368B31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEF66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2306758462.0000014CEBAF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2671572796.000001EDE2B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2238998450.00007FFDF18A9000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1851255413.000001DF0AC12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2175629520.000001C75053B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2694524998.000001EDFB1C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2298111257.0000014CEA94D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2355737421.000002BBD05F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C6C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C6FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2187719270.000001E36A7B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C7A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEF9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2174534999.000001E368930000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE2147000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C772000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2348840998.000002BBCFD98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C7BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2187907134.000001E36A9B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C80227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2175632565.000001E368AF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC9218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2677000286.0000003593725000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC9259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2175632565.000001E368BD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032527193.00000224D2260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0CEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D237D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148969E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2050414128.0000017BC9C03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.000001489691E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896B5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC9198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2167451224.000002570ABA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2049207030.0000017BC91CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2179127584.000001E3699F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE2125000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2392191319.000002BBE9185000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2301128593.0000014CEAB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D2331000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD06D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.000001489675C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896EA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357811653.000002BBD0C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2394976270.000002BBE930E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1851255413.000001DF0AC61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1851255413.000001DF0AC5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2032657849.00000224D22F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1857972609.00007FFD9B3D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2175629520.000001C750530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE21E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2636607693.000001EDE210C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2683179432.0000014895AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2159573235.000001E300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2671572796.000001EDE2981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2484, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2676, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6876, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7020, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7196, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7412, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7768, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7884, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7940, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 8088, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1832, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7336, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 6036, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 6688, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: SplashtopStreamer.exe PID: 6732, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5AA26B837347CAF4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF313360291D7C6B76.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE1464EAA1FD9BA8D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEC36B845F78A3ACD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD3CF40D2513F87C8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCD0592B522CAB70A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7DB972227FE90FC7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0490B689FA32AEF4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCDCD475ED65E9D68.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9F6FD42EB6D08AE2.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\50d417.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAE89339688091080.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7EA9ACF5F9FC6CAE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD164FC693E7E41FE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8A84F97802C3A2A7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_001_dotnet_hostfxr_6.0.35_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEE2A53A48B336AC3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF706722BCB30CA3CA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA9891912E7317834.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF18FC13D9683BBED2.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF2073CE39DF7B5067.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF010EB22A91E7F034.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF90C17B8167754151.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF26378A7BA606BAFD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6C0291E02F452261.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI624E.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF86A68179485913BB.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF07348613B0C561AE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8CEB021710F2C2B3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF453E2092A3D8365F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC32A38D1C46623D0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF41A5E0429566F085.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\50d40f.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIED2C.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3204F456716B36CD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA830C2DE52EC24A3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_002_dotnet_host_6.0.35_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAD094FD10857892E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCAD91CD85BB3FE25.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF026EBC3EB2941CD9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_000_dotnet_runtime_6.0.35_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\50d405.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3CB1399B3D4C602A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF14A5FA179E65F7D1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI44DF.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF175B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDF175B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		31
                                Windows Service                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		31
                                Windows Service                                		112
                                Process Injection                                		3
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS155
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		1
                                Registry Run Keys / Startup Folder                                		1
                                Registry Run Keys / Startup Folder                                		1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials671
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync2
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt361
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552153 Sample: z8yxMFhhZI.msi Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 155 Multi AV Scanner detection for dropped file 2->155 157 Multi AV Scanner detection for submitted file 2->157 159 Yara detected AteraAgent 2->159 161 7 other signatures 2->161 9 msiexec.exe 501 952 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 97 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->97 dropped 99 C:\Windows\Installer\MSIEAF9.tmp, PE32 9->99 dropped 101 C:\Windows\Installer\MSID81C.tmp, PE32 9->101 dropped 109 504 other files (435 malicious) 9->109 dropped 171 Sample is not signed and drops a device driver 9->171 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 AteraAgent.exe 9->26         started        29 msiexec.exe 9->29         started        149 18.66.112.125 MIT-GATEWAYSUS United States 13->149 103 C:\...\System.Management.dll, PE32 13->103 dropped 105 C:\...105ewtonsoft.Json.dll, PE32 13->105 dropped 107 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 13->107 dropped 111 273 other malicious files 13->111 dropped 173 Installs Task Scheduler Managed Wrapper 13->173 31 sc.exe 13->31         started        151 18.66.112.74 MIT-GATEWAYSUS United States 16->151 153 35.157.63.228 AMAZON-02US United States 16->153 113 31 other malicious files 16->113 dropped 175 Creates files in the system32 config directory 16->175 177 Reads the Security eventlog 16->177 179 Reads the System eventlog 16->179 33 AgentPackageSTRemote.exe 16->33         started        35 AgentPackageAgentInformation.exe 16->35         started        39 4 other processes 16->39 37 Conhost.exe 18->37         started        file5 signatures6 process7 dnsIp8 83 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->83 dropped 85 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->85 dropped 87 C:\Windows\Temp\...\_is3F8.exe, PE32+ 20->87 dropped 95 14 other malicious files 20->95 dropped 163 Enables network access during safeboot for specific services 20->163 53 11 other processes 20->53 41 rundll32.exe 24->41         started        55 3 other processes 24->55 141 199.232.210.172 FASTLYUS United States 26->141 143 192.229.221.95 EDGECASTUS United States 26->143 89 C:\Windows\System32\InstallUtil.InstallLog, Unicode 26->89 dropped 91 C:\...\AteraAgent.InstallLog, Unicode 26->91 dropped 165 Reads the Security eventlog 26->165 167 Reads the System eventlog 26->167 58 2 other processes 29->58 45 conhost.exe 31->45         started        145 35.71.184.3 MERIT-AS-14US United States 33->145 147 13.35.58.31 AMAZON-02US United States 33->147 93 C:\Windows\Temp\SplashtopStreamer.exe, PE32 33->93 dropped 169 Creates files in the system32 config directory 33->169 47 SplashtopStreamer.exe 33->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        60 5 other processes 39->60 file9 signatures10 process11 dnsIp12 115 C:\...\AlphaControlAgentInstallation.dll, PE32 41->115 dropped 117 C:\Windows\...\System.Management.dll, PE32 41->117 dropped 119 C:\Windows\Installer\...119ewtonsoft.Json.dll, PE32 41->119 dropped 121 Microsoft.Deployme...indowsInstaller.dll, PE32 41->121 dropped 181 System process connects to network (likely due to code injection or exploit) 41->181 123 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 47->123 dropped 62 PreVerCheck.exe 47->62         started        65 conhost.exe 53->65         started        139 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->139 125 C:\...\AlphaControlAgentInstallation.dll, PE32 55->125 dropped 127 C:\...\AlphaControlAgentInstallation.dll, PE32 55->127 dropped 129 C:\...\AlphaControlAgentInstallation.dll, PE32 55->129 dropped 131 9 other files (none is malicious) 55->131 dropped 67 conhost.exe 58->67         started        69 net1.exe 58->69         started        71 conhost.exe 58->71         started        73 conhost.exe 60->73         started        75 cscript.exe 60->75         started        file13 signatures14 process15 file16 133 C:\Windows\Temp\unpack\libssl-3.dll, PE32 62->133 dropped 135 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 62->135 dropped 137 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 62->137 dropped 77 msiexec.exe 62->77         started        79 Conhost.exe 73->79         started        81 Conhost.exe 75->81         started        process17

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                z8yxMFhhZI.msi26%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                50d410.rbf (copy)21%ReversingLabsWin32.Trojan.Atera
                                50d412.rbf (copy)0%ReversingLabs
                                50d413.rbf (copy)0%ReversingLabs
                                50d414.rbf (copy)0%ReversingLabs
                                50d415.rbf (copy)0%ReversingLabs
                                50d416.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe21%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://schemas.datacontract.org/2004/07/SystemVSystem.Private.DataContractSerialization.dll.1.drfalse
                                  http://www.certplus.com/CRL/class3.crl0AteraAgent.exe, 0000000D.00000002.2394976270.000002BBE924D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://www.nlog-project.org/schemas/NLog.xsdAteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpfalse
                                          https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            http://www.chambersign.org1AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://nlog-project.org/AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183096187.000001E369CF8000.00000002.00000001.01000000.00000022.sdmpfalse
                                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmpfalse
                                                    http://ca.disig.sk/ca/crl/ca_disig.crl0AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip?lAteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmpfalse
                                                              http://wixtoolset.orgrundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, z8yxMFhhZI.msifalse
                                                                http://www.disig.sk/ca/crl/ca_disig.crl0AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000004.00000002.1771227691.0000000004706000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        http://acontrol.atera.com/AteraAgent.exe, 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E6E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformationAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD096C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0838000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        http://my.splashtop.comAgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageARAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7514622b-7504-4e73-83c1-cb213deb3a6aAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://github.com/dotnet/runtimewSystem.Threading.Tasks.Dataflow.dll.1.drfalse
                                                                                                http://microsoft.corundll32.exe, 00000010.00000002.1904488118.00000000076F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  http://schemas.datacontract.org/2004/07/System.Runtime.SerializationSystem.Private.DataContractSerialization.dll.1.drfalse
                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://download.splashtop.comAgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2B05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          http://www.symauth.com/cps0(xdnup.dll.1.drfalse
                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.9/AGENTPACKAGEAGENTINFORMATIAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://agent-api.atera.comrundll32.exe, 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183096187.000001E369CF8000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                    http://www.w3.ohAteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        http://www.symauth.com/rpa00xdnup.dll.1.drfalse
                                                                                                                          https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip?lE1JX9AteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            http://ocsp.digicert.cBoAteraAgent.exe, 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://agent-api.atera.com/Production/AAteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                  http://crl3.digiceAteraAgent.exe, 0000000C.00000002.1854401612.000001DF24E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000023.00000002.2181193022.000001E369C22000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000023.00000002.2185412553.000001E369DC2000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c02a4023-6baa-4600-8d1c-cde6a0bc9950AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              http://web.ncdc.gov.sa/crl/nrcaparta1.crlAteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://www.datev.de/zertifikat-policy-int0AteraAgent.exe, 0000000D.00000002.2355737421.000002BBD0556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://my.splashtop.comAgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE2ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0738000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000023.00000002.2186220569.000001E369E24000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                                                                                                        http://go.microsoft.cofw8AgentPackageAgentInformation.exe, 00000016.00000002.2049207030.0000017BC9259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://agent-api.atera.com/Production/Agent/GetRecurringPackages.pAteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.7/AGENT.PACKAGE.WATCHDOG.ZIPAteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000023.00000002.2178916823.000001E3699A2000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://github.com/dotnet/runtimeAteraAgent.exe, 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Private.DataContractSerialization.dll.1.dr, Microsoft.CSharp.dll.1.dr, Microsoft.Extensions.FileSystemGlobbing.dll.24.dr, System.Diagnostics.EventLog.dll.24.dr, System.Threading.Tasks.Dataflow.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.drfalse
                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1f7cd882-99b9-4edc-8358-a44cbac962feAteraAgent.exe, 00000018.00000002.2692056998.00000148967A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://aka.ms/dotnet-warnings/System.Diagnostics.EventLog.dll.24.drfalse
                                                                                                                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0xdnup.dll.1.dr, stdpms.cat.1.drfalse
                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.1/AgentPackageOsUpdates.zip?lE1JX9mAteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAteraAgent.exe, 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmpfalse
                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=54d33d34-c90c-4ede-831e-f1f741c1dedcAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://aka.ms/serializationformat-binary-obsoleteSystem.Diagnostics.EventLog.dll.24.drfalse
                                                                                                                                                                                        https://agent-api.PAteraAgent.exe, 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          http://www.w3.oAteraAgent.exe, 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://aka.ms/binaryformatterSystem.Diagnostics.EventLog.dll.24.drfalse
                                                                                                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://cps.chambersign.org/cps/chambersignroot.html0AteraAgent.exe, 0000000D.00000002.2392191319.000002BBE919F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fdf9888c-209c-49ee-a038-02e568237b90AteraAgent.exe, 00000018.00000002.2692056998.000001489651A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000003.00000003.1720745521.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1731658678.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1773764408.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1862097536.0000000004ACB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2033244997.00000224D2A72000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2691785056.000001EDFB110000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2183670936.000001E369D02000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                                                                                      https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958AteraAgent.exe, 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0751000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://ocsp.digice0NAteraAgent.exe, 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=246bfa70-210d-46d7-81aa-ffbb467012bfAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://www.ancert.com/cps0AteraAgent.exe, 0000000D.00000002.2398127205.000002BBE934E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://github.com/mono/linker/issues/1416.Microsoft.CSharp.dll.1.drfalse
                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.0/AGENTPACKAGEPROGRAMMANAGEAteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://ps.pndsnAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B3F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://github.com/nlog/NLog/wiki/Configuration-file#variablesAteraAgent.exe, 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 00000023.00000002.2239122661.00007FFDF18B4000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?lE1JXAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zipAteraAgent.exe, 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zip?lE1AteraAgent.exe, 00000018.00000002.2692056998.000001489675C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/guiCommAgentPackageAgentInformation.exe, 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://github.com/mono/linker/issues/1906.Microsoft.CSharp.dll.1.drfalse
                                                                                                                                                                                                                                      https://www.openssl.org/HPreVerCheck.exe, 00000027.00000000.2233864843.00000000009B5000.00000002.00000001.01000000.00000026.sdmp, libssl-3.dll.1.drfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        18.66.112.125
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		3MIT-GATEWAYSUSfalse
                                                                                                                                                                                                                                        35.157.63.228
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.35.58.31
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        35.71.184.3
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		237MERIT-AS-14USfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        199.232.210.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        18.66.112.74
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		3MIT-GATEWAYSUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1552153
                                                                                                                                                                                                                                        Start date and time:2024-11-08 13:49:34 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 13m 34s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:69
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:z8yxMFhhZI.msi
                                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                                        Original Sample Name:c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@163/1172@0/8
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 16.7%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 60%
                                                                                                                                                                                                                                        • Number of executed functions: 389
                                                                                                                                                                                                                                        • Number of non-executed functions: 1
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7768 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7884 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 6036 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7020 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7196 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7940 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 2484 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 2676 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 6876 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7412 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: z8yxMFhhZI.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        07:50:34API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        07:50:39API Interceptor1632x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        07:51:01API Interceptor40x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        07:51:07API Interceptor858x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        07:51:10API Interceptor21x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        07:51:27API Interceptor2x Sleep call for process: msiexec.exe modified
                                                                                                                                                                                                                                        12:51:42Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        12:52:15AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {96ec02bb-b5fa-4892-a305-c6128466beda} "C:\ProgramData\Package Cache\{96ec02bb-b5fa-4892-a305-c6128466beda}\dotnet-runtime-6.0.35-win-x64.exe" /burn.runonce

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        50d410.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        50d411.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        50d412.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        50d413.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        50d414.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        50d415.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        50d416.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\50d405.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8813
                                                                                                                                                                                                                                        Entropy (8bit):5.663022375681492
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:TjVxz1ccbTOOeMe4e61E7r6IHfE7r6kAVv70HVotBVeZEmzmYpLAV77RXpY92r:TpD2QwpwtiB2i9
                                                                                                                                                                                                                                        MD5:4F8C887F5A0C7386BA277D9DED25D199
                                                                                                                                                                                                                                        SHA1:B658EFCD69D7763BC704B9BE1F241A5FC5405081
                                                                                                                                                                                                                                        SHA-256:B9812CC203DF289FB7E379FE7A163EBA2F539128E6EBB0FEE3B6B619943145E1
                                                                                                                                                                                                                                        SHA-512:6DE451E01771BF9F69A343A011AC1EBBD3E1F7A3A6768BD1D2F6FC494042890187136C8721D0F980E272A2014F0A767114B36DA542493884A50FDF4AAD3117D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\50d405.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@R>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..z8yxMFhhZI.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E31

                                                                                                                                                                                                                                        C:\Config.Msi\50d409.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):76037
                                                                                                                                                                                                                                        Entropy (8bit):5.733452205638212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:NPXeqjCyEgH2bQzxW5wM/wt/JBQKwHhrRUL2l+Jq4599oefeIubJZrQ1vMF8Ekdh:aSx
                                                                                                                                                                                                                                        MD5:3FB99792B3F85571F84AB1573A4641AC
                                                                                                                                                                                                                                        SHA1:F6D7156CBEC295FD6EA2557E4575E9D2949053DF
                                                                                                                                                                                                                                        SHA-256:4D67B1D4CB376FB59F1F8B7102D2A100855DF51CD82B472A86403EC604134BA2
                                                                                                                                                                                                                                        SHA-512:D4CFEAF2854EE7616B7EBE86B71B78676B458ADC0EE84676B48CDF143C25C344C18A4B052FAFC1BF5C666339D4889279FC2B9960A83B8F48119EA3B5382FCACD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@q>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{06653204-4010-8C69-AD0A-982273468010}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{76FB8673-364C-25A7-DEC2-3C43D0343A02}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{944490A2-222A-67EA-5532-3CEF12

                                                                                                                                                                                                                                        C:\Config.Msi\50d40b.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):464
                                                                                                                                                                                                                                        Entropy (8bit):5.213004740233012
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Ea3LM5/e/YeVugrUucQBak5cSvpL7lgYKq9uSgmll/Vnpm/nsuRYaRsjXwpoh7LW:EgY/OBjUcBn97lghq5j//a/fNl+9W
                                                                                                                                                                                                                                        MD5:BC72E69751C9FFD17AB74B6D7704B1B5
                                                                                                                                                                                                                                        SHA1:B3BC368F2C03BCAB2DDFBE3A34E7F77648C068C7
                                                                                                                                                                                                                                        SHA-256:FA6DD2AB9EF59107840B65B645E7A85D76EF00100C042569ADC597A7B88C0134
                                                                                                                                                                                                                                        SHA-512:12221A38228943C3B4D0BCF8F145ADAB0867D4BAA33E3673BE9CF1DDF9473455742108C178547D6290386E4FF4942633AD0909FADBA97BE2683B7E2EDC8EDAED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@x>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....Util_UpdateSetting....Util_InstSrvAndDrv....Util_InstDone...@.....@.....@....

                                                                                                                                                                                                                                        C:\Config.Msi\50d40f.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9497
                                                                                                                                                                                                                                        Entropy (8bit):5.569129401955382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oj4GccRZbLCsgRNbLCMDp17qEVl0cyuLALtyD0qagukGGhaKfmbHt1fK6kYrEcZ:os4R9gRBdVKKz69T
                                                                                                                                                                                                                                        MD5:782DF96E38BA2AEDD76D1BE9D88781D1
                                                                                                                                                                                                                                        SHA1:0FB5DD0396BC3AF7DC3BDD96F4FE28DC2F476613
                                                                                                                                                                                                                                        SHA-256:4A4AA29A992DA84ED6AD703A1DB128F8DCB7A0F9DC80843D52B75AAC66A063E2
                                                                                                                                                                                                                                        SHA-512:5FBEF2DFD2FCD9EDE9CB73E8CC9DD71EB17DF5FED5C5D635084FCE17CD8DD2FC6A45CE78979FE446A225592270B34D3FE1421F6AC84EB125DE59459A3DD84F0A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\50d40f.rbs, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\50d40f.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..ateraAgentSetup_1_8_7_2.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\50d406.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...Hel

                                                                                                                                                                                                                                        C:\Config.Msi\50d417.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.654346336430275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0y7wo+fncHMeX1f6ITf6k7s5VNpkxYpLso:0Po+fncHJfVftSNpkcP
                                                                                                                                                                                                                                        MD5:0E78F6482D4A2F609994D315B96E6DB7
                                                                                                                                                                                                                                        SHA1:2D66F6E37AED99FB44DC4F17FD091F582178DC03
                                                                                                                                                                                                                                        SHA-256:7AFF02E93F5935C92878B0550B1F4AF927122B9BF06EB715E14B9B7D9EE1DC35
                                                                                                                                                                                                                                        SHA-512:89A980EC7749A5C8E7BB138208F0943BAE313AA2D9CCE70FB5E685A78FDB1C4B2AC18599BA5157B00ACC8D8B78695BF8882672B88703632FAA3680527E7BA8DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\50d417.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Config.Msi\50d41b.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57458
                                                                                                                                                                                                                                        Entropy (8bit):5.865001607940842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:iL9BRzVH/GV1a67QzE/DBFIAL1UN7Tbob0qvJWj28erEReN4CVcaf1QeLHaH8o1z:EwI5i8jW38
                                                                                                                                                                                                                                        MD5:4BABE336F42F5A670A2F84B5FAA49EDB
                                                                                                                                                                                                                                        SHA1:ACB7A7764C5A3BF251056ABD5FF302EB0A482E07
                                                                                                                                                                                                                                        SHA-256:8F910056F94B0A1CFC83B49DA88EDC88CE8F3F00FBDB56CAAA3F99E31A84E221
                                                                                                                                                                                                                                        SHA-512:2CA5A72E620E415FC56F9C32C9B46ED0DC397F5D33F258E467C5B371129FC156965551833FADE73692D0E41C5D81D9CD77F47DEC33A04464EE0FE6EB69C69425
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}%.Microsoft .NET Runtime - 6.0.35 (x64)!.dotnet-runtime-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{76657AF8-AF4E-4FA9-9A39-80AC267D9B11}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BCDE6883-BAB7-54AB-B504-D8C3F75FDB2A}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{F621578B-E081-5FC4-B0C5-A151B816DC51}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{B0658A77-9697-57AB-AEF0-C49F5788A264}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{120A93F0-81ED-50CA-849C-D3C267F0E1B9}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{B6486357-3BB8-567F-A403-76642301DF0F}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{7DD77B54-D0C8-5E10-9C80-EE381420C680}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E

                                                                                                                                                                                                                                        C:\Config.Msi\50d41f.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9062
                                                                                                                                                                                                                                        Entropy (8bit):5.596841868640755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MFtGg8V0keFwptKIIxKICTBO76E6NZG6XXHws3M6p7RV/tbM7YB:MuHKlKLH
                                                                                                                                                                                                                                        MD5:34AA1CBC3850BD6ABB211376092F5913
                                                                                                                                                                                                                                        SHA1:EAA96280C7EB32B65AC25AF172EDD3DBD5C9C8B5
                                                                                                                                                                                                                                        SHA-256:BD391A642428F0BD5CCB2236ACCED01D45C38DA389D560BD7AB2CC405F95FE06
                                                                                                                                                                                                                                        SHA-512:BB32493894924DDD5A2E9A3CA20DB4F1C2BE692FEB81150E2ECC6562035B240210F79751DA4CA8E40FD08421FE4B22A12E8F3FE79EED6027148D48F383C15CA2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E91F8AC1-4917-455E-AACA-B40B193C7A62}..Microsoft .NET Host FX Resolver - 6.0.35 (x64)!.dotnet-hostfxr-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{4E46258D-E612-40D6-A98B-8F64771E3561}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3262256-B959-50C5-91BD-D2C1656236F1}&.{E91F8AC1-4917-455E-AACA-B40B193C7A62}.@......&.{B59DD035-01D3-57CD-A06D-224838439FEA}&.{E91F8AC1-4917-455E-AACA-B40B193C7A62}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{E91F8AC1-4917-455E-AACA-B40B193C7A62}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Program Files\dotnet\host\fxr\6.0.35\....3.C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key:

                                                                                                                                                                                                                                        C:\Config.Msi\50d423.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):10280
                                                                                                                                                                                                                                        Entropy (8bit):5.646475780942866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:M3qLUB71Ew8lnfseUtlIImlI9OE5Bai6pe:MdB71Ew6SlalxS
                                                                                                                                                                                                                                        MD5:FE552BFB76AE84E09747027D927BFF77
                                                                                                                                                                                                                                        SHA1:04A45BB6EF5B9F6BD8A296F903B326D19B5F7200
                                                                                                                                                                                                                                        SHA-256:DA0F399FDAB4168AF3F3283A714B20548448F7E060EF1A6E69CDED9E1DDEDB94
                                                                                                                                                                                                                                        SHA-512:609510576AFBFB197AC27EA56FE2ED99BB656403C2C7A348CB6FE5E53F78D970BB4237C09A698D025078866B83DC350DB92C13235E4A1D983796AA05E141266A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}".Microsoft .NET Host - 6.0.35 (x64)..dotnet-host-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{C44636B0-CF91-423F-8EBB-E5C6C9CC18A4}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@......&.{CE35924C-AD31-51DF-B84A-A8052ED08400}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@......&.{A61CBE5B-1282-4F29-90AD-63597AA2372E}&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}.@....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1967254
                                                                                                                                                                                                                                        Entropy (8bit):7.99899464874092
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:GIvTD8ZtXieZ2TfM38pgpbNQRcMzGExh+26D4o0Ydyg:XTD8ZweZbMy5QFGExw9D4oVH
                                                                                                                                                                                                                                        MD5:8DE5A7A19D882820893D8B911C1710FB
                                                                                                                                                                                                                                        SHA1:95CDF5855BC5E454C8944952697AB142F77124F7
                                                                                                                                                                                                                                        SHA-256:2BEE5835A45E74F454648C57FEF0D6FCA40D64308F813CB759CCAB1B2AB576A9
                                                                                                                                                                                                                                        SHA-512:3056784D9A1AE5A8A5DD92D7ED6AD1311E863E41A6CA5971AAC5D626DA1338DA44D0828448AA9AB1F9EDB88AFBAAACD57660C4C102812BC94240654B8D5237A7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........BfY................Agent.Package.Watchdog/PK.........AfY.#.L>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.jsonr...+v..$...01%...{.r`..P....F|..A...;.[...j....u.....z.).E..q...s*...D...4.....Es.^+C.......P.3b.......o..i_&#..?..D..}...~&L....D.C.y......dm...A....6..:.s..^L.I6{.......c)2s.<...hU.n.(#.7.15..q...o..j..n..=.g{.mN.....jH..5......N$......Q_..?VY/.[Dk..V..56.V.C,.....x..6...Z2b...t.....%..u..gR.3...{..<:.z..v..+c6A2.f.!+Sa..p0;^..E.]............2....1..@p.6.!..|~.}.vj........-...hB.......&R.i.=..G.....g.A..~f.. 8..F......*..j.....O.....b...6..%9.x.Q.z_K@%...[.k1a.w4U...x.V.ae..E%`B(....."oz!...h..+...XP.i...B.^...i..A.......(I.1....O...d.O.yt..=e%O.s........YUC.B=m..g]....x\\8...0k*P.e~p...d.....e...`..2.6.<2`.s9.f.F......z>8.L.i....y..Sj3.`.].F.......e...Fb.....U.A]..8......*...]R[O....... \.....X`..2...#](.M...(..k?...L%Y.&....M..=&.......t.c`[..&..h.OV./.b#.>..T...!td....Z......d[,........^$...<.P3.;..=..m

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39359
                                                                                                                                                                                                                                        Entropy (8bit):5.001107788783311
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YT5DUarXaaec21v5Oc55MNXP4RBTEQ88jnfA:YNDUarXaaecC5Oc55mXP4TTEuA
                                                                                                                                                                                                                                        MD5:D4D3077248D2EC265329DA2BB4EB1409
                                                                                                                                                                                                                                        SHA1:C4118CD8CC0C738D212BD57B262C83652BD06582
                                                                                                                                                                                                                                        SHA-256:6E5DCE5A789BB451AF3B5136C9832DA6A621A92EAA151D1BA699B9C0FB6CFB9E
                                                                                                                                                                                                                                        SHA-512:AC479A172E4F0E90A096B13D5F785EC3184F214000B9578D835E9A4FBF7BA64F3C2D0F679C6B0F325B9A34623E8548CBD4B8C1873A4DF1CAFECC94AAD343F7BD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.7": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35408
                                                                                                                                                                                                                                        Entropy (8bit):6.4700416722695895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:i0uXcA8f/rEacom1OiYW32L0k8pJsjmd+uE8aNmHCiYVGx5mNyb8E9VF6IYijSJV:iDXcA8HBcomwxW3Rk3C+udBuEpYi60Y
                                                                                                                                                                                                                                        MD5:982E427EAFC97BD0044FD50745B72A6B
                                                                                                                                                                                                                                        SHA1:978C94A813E0931D62A28A8D40BF3F19CE504029
                                                                                                                                                                                                                                        SHA-256:9590664E74B2A011504764572E4E7DA12758415167958FE512E98CA3278F2AEC
                                                                                                                                                                                                                                        SHA-512:25461E9A3BC9B7D01FC6EC19F05AB5B313C81B5A3ED015F7A95DC7B493EDED733EEF181C2CDB840F9CC8AC497FCEB14D857825AB4EB55EE4138EB8A12CC6A352
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..X...........w... ........@.. ...............................H....`.................................4w..O....................b..P(...........w............................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................hw......H........2..<D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):161360
                                                                                                                                                                                                                                        Entropy (8bit):6.243597431749339
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:I5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4CULCXodwpz:IBKjK2LFzZNfJULq7z
                                                                                                                                                                                                                                        MD5:242D415E238789FBC57C5AC7E8CA5D02
                                                                                                                                                                                                                                        SHA1:09C1E25E035BE67C9FBFA23B336E26BFD2C76D04
                                                                                                                                                                                                                                        SHA-256:7F3DED5BF167553A5A09CA8A9D80A451EB71CCECC043BDA1DD8080A2CBE35FA2
                                                                                                                                                                                                                                        SHA-512:AC55D401951ECF0112051DB033CC9014E824AB6A5ED9EA129A8793408D9BF2446CB3C15711E59A8577E0F60D858A4639E99E38D6232315F0F39DF2C40217EA40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.J.^.J.^.J.+.K.^.J.+.K.^.J.+.K.^.J.&GJ.^.J^,.K.^.J.^.J@^.JG+.K.^.JG+.K.^.JRich.^.J........................PE..d......f..........".................P@.........@..........................................`.................................................|(...............`..L....N..P(.......... ...T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data...X....@......."..............@....pdata..L....`.......,..............@..@_RDATA...............B..............@..@.reloc...............D..............@..B.rsrc................H..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.7004397181410926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUmov:Wvov
                                                                                                                                                                                                                                        MD5:82F71B382E51CAE212E670779DBDF14E
                                                                                                                                                                                                                                        SHA1:C764F353E7B76236468649989C39EAEF3B97E701
                                                                                                                                                                                                                                        SHA-256:B57642302DEA3460BD78B6D9C62593939852C8526BA1779067D411E4DDA3DE17
                                                                                                                                                                                                                                        SHA-512:C5687A7DBBD4C714181F1ECFE1810A48109A4D9D4E3E90E88DA67FA3CB2736D5B3AA260B6680FA6A07FAA66CCB59DB05F9E8E345FD0DC50ABB63CB83DAAF0BFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.7..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):288
                                                                                                                                                                                                                                        Entropy (8bit):4.622820819612829
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:3Hp/hdNyhAkv3Opo/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkv3OpJ5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                        MD5:AA6C95679FBDCCE9930CD0588089344B
                                                                                                                                                                                                                                        SHA1:46294C035BFB927915DC089C67475610AF904E86
                                                                                                                                                                                                                                        SHA-256:8DA9CA03D76A3AA7BAB068EC578B441B3DC3BA7F9C94EE42203286B8E650F5B9
                                                                                                                                                                                                                                        SHA-512:91EC4C51D846AA4D881F02FFE051B4A6BDD7263574214186D7D8609AD4447E38D5547586C3B973FD6371622A6F574B767405074ABC96CFF40B7B3D7C8A9F7842
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "rollForward": "LatestMajor",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53840
                                                                                                                                                                                                                                        Entropy (8bit):6.297907121687926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:8dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqthEpYi60QY:8d2P/phL4L8KGo9sgqtK76u
                                                                                                                                                                                                                                        MD5:1A5F29E19AFB572B5380F3CFDD935D6A
                                                                                                                                                                                                                                        SHA1:4A8432F57161886AAEC2D6761F5677BBE2A68F3E
                                                                                                                                                                                                                                        SHA-256:E0F10B6137F48219EF31700A6C668857306EDB6ABF8911853331C8A7B5E55A23
                                                                                                                                                                                                                                        SHA-512:638F5440A11ABA7D453D58B8158E6CA4A453297356D67E1CC59C693A32774D57BFC0BF1A407BDCD15BE892E8012B31C21577A60395E20EC0C3E88F804308B573
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ....................................`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.272861820966947
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ZO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5jEpYi60IKx:TQTIywi3eobgTG/2u2/wb0u5c766x
                                                                                                                                                                                                                                        MD5:8746122FDF7EFC772183F4DF2E91982A
                                                                                                                                                                                                                                        SHA1:AF4203A3D27A1E52FA9F34A050B6540514FD6435
                                                                                                                                                                                                                                        SHA-256:0BEE7E589E4CB7C5D46CE745385C3798DD5093984DD3C56AADE1E13BE6E53C42
                                                                                                                                                                                                                                        SHA-512:07E227E88B5E260919678C05DD21F650E39A180A0F952885998203931C118D7966BA1527316329E1A3BEA27EC9A415DED81F396354F55D8CABC8D1D5BABC3F73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......x.....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186448
                                                                                                                                                                                                                                        Entropy (8bit):6.958192575536949
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4hOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mSowR:4hJ177+9jQAVph4sUDfAbm1F8lR
                                                                                                                                                                                                                                        MD5:D0EE12CB6A6293426BEE6D95908C38C8
                                                                                                                                                                                                                                        SHA1:7A1B43AF1ED6C0F6E0A4283AC217ECFFB75357A8
                                                                                                                                                                                                                                        SHA-256:EECB149B376D21EC9D6CE3C295DAAFD7FCE36476FCE42C786813DD00AE0D4657
                                                                                                                                                                                                                                        SHA-512:92797BB40A9C11A07DEB40F73750C041CF5B471E19BABFC182208D6B5B44B6E74C89AD174A911F27E9587CD69D72A6191DB096D38EE67FA38E2C4811861D65AB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... ......{.....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29264
                                                                                                                                                                                                                                        Entropy (8bit):6.5196842118788085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Y+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWskgNyb8E9VF6IYijSJIB:Y+EF/CvyKohrqn3EpYi60izJk
                                                                                                                                                                                                                                        MD5:7C01218E99981139C044B9D2820B887C
                                                                                                                                                                                                                                        SHA1:816284B70E7B7F3756F01C887378883481428081
                                                                                                                                                                                                                                        SHA-256:D07D4472E5E80A0EBDCF2870629DD12E5EECFDD79C8BBB932BE3104135F8C77C
                                                                                                                                                                                                                                        SHA-512:BFFD5DA9B2FE6B810FC5E5E567E085545665115101E4F48E3324FF4369E35D8D55D42F4E68138E5EBE371C097E88C3801D5FFF440A57AB9C1EF8522D12F31B12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................;....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.4046458780485525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:oThLeDjUB16TI1CQ12cMcFgL/l5dgEpYi60JVY:oTvB71dEcME45dp765
                                                                                                                                                                                                                                        MD5:878C629AC2EEA81E6EAD65CD6A50F5A3
                                                                                                                                                                                                                                        SHA1:35B9F1D10DAFB3025AC0413D7AA0ED0CCCFFDE6A
                                                                                                                                                                                                                                        SHA-256:E17A324E6361ED45A6E48C799B8E33349BCF41242723795CFC312B9E8E697813
                                                                                                                                                                                                                                        SHA-512:8F9C02DFD0EE383A605FB2C57652E1580BAAB1DF0422D6E9ADD9D95CC8EC698CB346413B407E39D1AE61C67CF7CD95FD71D9C2569FC192BAEB67B821D1F94D03
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ...............................}....`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25168
                                                                                                                                                                                                                                        Entropy (8bit):6.668752308927327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JYEMITBweJkneGO3WKGW9anWsxNyb8E9VF6IYijSJIVxOStz5:lTBwa7dEtVEpYi60J
                                                                                                                                                                                                                                        MD5:A256A34CA45909D19DF819603DCB13AF
                                                                                                                                                                                                                                        SHA1:DCC715A30ED57D7EB32BBC8E1DF0CF83EE1C4CD0
                                                                                                                                                                                                                                        SHA-256:5D6A87A5C6DF09E73DF6DFBE73CE7E1D254E021FE536884C8596B32E5DB2B30A
                                                                                                                                                                                                                                        SHA-512:4967DF87A1287CB1F3C60711723F1A3E680C8EA79FDE1824A8780E17A7ED4E6C8F69D31BD9F76ABA01119115654B7C10E844FDE9C48851B37BD60D5030A64EBC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ...............................p....`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21584
                                                                                                                                                                                                                                        Entropy (8bit):6.714340321050238
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w6jxRm3soGTeZeszQm31WUKeWstNyb8E9VF6IYijSJIVxen7fT:fj23spTeZposJEpYi60q
                                                                                                                                                                                                                                        MD5:D1A72EDF2377EF9E1AB99325DD033D40
                                                                                                                                                                                                                                        SHA1:E4B5F48A5B5E3424CCB2D127E7AD27D19893B483
                                                                                                                                                                                                                                        SHA-256:88DA1CB723C78E0FFF141534E2960F0738E4A023C3A5C1929BD66193ED22BA2C
                                                                                                                                                                                                                                        SHA-512:333812806E3B14ACCC0E3C5E86B815CEE893E3C67453B4B99FEF02855BC718DAE9FD3A2344B4B3D9BE09DDAA8B1B21F6F0F55E05DE6055A5E49FA0EF8331285C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ....................................`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.599763231337247
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:tzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WsdNyb8E9VF6IYijSJIVF:1xk1/9jtGhScRwPpByoZEpYi608L2X
                                                                                                                                                                                                                                        MD5:8E2141AACC92F6096C9B6DA6BB5A0F33
                                                                                                                                                                                                                                        SHA1:2F702720C1C320434120E471B4329EE2143EA221
                                                                                                                                                                                                                                        SHA-256:E9F9CE42CB36557CAC26BD6D5907BB125C4678D15198700AB767E7144B0E0D18
                                                                                                                                                                                                                                        SHA-512:82E74FA668BCFAFDE8956DFECE6ED8B0DF744C506824ACCF53EC69236DB59DE23E1CA34F40358BFE39B06290C5029C0C611C7C8DBE7881C53BDDE9B72843D3FC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ...............................l....`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.56193078447284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsGNyb8E9VF6IYijSJIVxlt0D6:aLAux7yUcT7jF6aYhSkOEpYi60J
                                                                                                                                                                                                                                        MD5:3F6FACE7733E23C3B705321A95612C3F
                                                                                                                                                                                                                                        SHA1:4093ABF818172BF36D0B174A616DDA022DE186AA
                                                                                                                                                                                                                                        SHA-256:4FFA4A98A3F5F33F727E6DAFEB252E0DFED4CEA13720346BB86B120E6E104451
                                                                                                                                                                                                                                        SHA-512:BB3F66CC0EDDCE7CE165278B1F6E9716BED87701250CEC9D086AB7E6F5FE5FBEE66BA7F60E2D3DD3C298E06F39E4D436D27B5008920DCE2BC5CCEA2EFAE4F85B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.547720137603778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWsHNyb8E9VF6IYijSJIVxUaa:LKnbPplTv9uuLuVwrEpYi60k
                                                                                                                                                                                                                                        MD5:8BB0B459701F66BAE28E754B043963C3
                                                                                                                                                                                                                                        SHA1:E567DD2727E5BF3CF10A6C70891E63EE0247C41C
                                                                                                                                                                                                                                        SHA-256:895928EC2A2AF3A288444C6DA2FB1E5249F6054C553FE763CD6D73CCFECF3266
                                                                                                                                                                                                                                        SHA-512:E84CD6BC9A6DE8E00FC5FCFDB2A660AD293ED619AB0E114EF52C73520738307E23618CACC2D5E2ABB2755B5D58FF0D7A81817F5E8C34CB5E9707191C756B0192
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ...............................:....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41040
                                                                                                                                                                                                                                        Entropy (8bit):6.409309688620981
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:m054t3ibki5TCk3jqEr0WBum6BEpYi60mh:mPtnUj/Lkm976jh
                                                                                                                                                                                                                                        MD5:373DB163844AD86DD52C7BDF925B69F1
                                                                                                                                                                                                                                        SHA1:3CF502E28A2517C712E39FF4910378411BBD2210
                                                                                                                                                                                                                                        SHA-256:D77DDA6EFD4B6F26F4D4227DA1C493DED85FB7118C05231E20E084A1A002C1B0
                                                                                                                                                                                                                                        SHA-512:91A6BE82CD1F74B603F422F00E5B51FDBC30D5DA9D34C1EE28F1C5BE188BD5D29BF6FF78DF58ADE9FEC117120A62DC1D3A55E347697F83739C29DFE3FD2DC5DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ....................................`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.257780262213066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Zq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPYEpYi60si5y:Zq+SSkNNjdQc+cJNp76H9
                                                                                                                                                                                                                                        MD5:46178C89C18265DAC04BB569E8AF1B32
                                                                                                                                                                                                                                        SHA1:2BF62F8A2802EC573ACDCC1847126A4BCC9D57CE
                                                                                                                                                                                                                                        SHA-256:18B49A2C97AE0A0A7D127D99BA24BB6F6B7C05BF321AC4858CD5881908CD937C
                                                                                                                                                                                                                                        SHA-512:A007F1406921F7E7C9564EACDA5DD795BA5AF736B1A1BB24652D1C1105CC78C6BDB95391EB0AD0760FF651785EC2A1B953A52DEEE70E7A0A5D5E9DA9E14A7402
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):85072
                                                                                                                                                                                                                                        Entropy (8bit):6.265757695793194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:0NNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJf76hF:0MCsvGPPed5ZfjQ+rBvJf2F
                                                                                                                                                                                                                                        MD5:8F3F02B670469A026ADC32C95EE8896B
                                                                                                                                                                                                                                        SHA1:313B177A7F8FE38642D0F8AC7C417B271DFA3B45
                                                                                                                                                                                                                                        SHA-256:EF4A952ECDCF4CCBACA859D30175F3DA67BACE8A2E457BA42A70F0F95286A3A2
                                                                                                                                                                                                                                        SHA-512:C91C7D357FBA0B90376F9FB695FC95E799FF9BAB7F55CF094666FF066EF88AE468CCBBE85A822D7DD6DA268F9533279CDF884B6D04AC4F6F1D9F2DB8C8AA87F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ..............................7T....`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23632
                                                                                                                                                                                                                                        Entropy (8bit):6.614672831994715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWs6SNyb8E9VF6IYijSJIVxqJp3:h3m0SM3Tt90Pl73EpYi60aB
                                                                                                                                                                                                                                        MD5:EAC42065062A2A30472F196B5BA2BB5B
                                                                                                                                                                                                                                        SHA1:9FC9DBBA48A4C8924EABC0A9D4720E5036EB2233
                                                                                                                                                                                                                                        SHA-256:BFD8A444C655399ACDDF034778B162D8AEC18D896790FB7BB258D39C06C8C6AB
                                                                                                                                                                                                                                        SHA-512:8F0C4126A4C9AB728A21D5B436697500F1DCD184CAFA909EFB0A872453B2BF35D06B084DD5D2D92B0792FBF805596B6D2F6909CFE74FBD12C0D51D887E2605D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... .............................._.....`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.428795819452189
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:UxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYi60Mrzp:UNxxAYFeMpdURZEu3Su76fp
                                                                                                                                                                                                                                        MD5:F449AF52D166FCA3D1FA110D7BF18EE1
                                                                                                                                                                                                                                        SHA1:AF56A8B9598A37F1A9844252B2E5177CF47F2BE4
                                                                                                                                                                                                                                        SHA-256:BF4BBD45B08C2AAFA3CBCA51443A4C8951E5530ADE33FB12CD060DC332CAB177
                                                                                                                                                                                                                                        SHA-512:00D43EE6491FBABE14EEF7323A64D6DF9B4CA0338DF428EAF12D8F287AC16E0EDB1F08BE35A4D7720F50C3841FABE1BC107A1E3AEFCBDD49F40BF774E3F8E006
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ...............................~....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):47184
                                                                                                                                                                                                                                        Entropy (8bit):6.372186477195459
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:nkfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFyEpYi60xT:sEkMoRxtzIk3ygv/Mh76I
                                                                                                                                                                                                                                        MD5:450582CE35B3A02ED828AD928E0C455C
                                                                                                                                                                                                                                        SHA1:EE929973FA7577C9492D99B975FC09B1C6E65C15
                                                                                                                                                                                                                                        SHA-256:17B1A1197ADF44736D874FD2D95E33EE76BE38A97561ECDE37293B4011BD49D2
                                                                                                                                                                                                                                        SHA-512:4CC5CC3FB9016EE499E86B14F328DF078124C06B14E7FC731A10685DEF6D381BA7BFA968E1A31847A15FDA2F688558A7746B8486CA5E91BBA2376788D1D8BE95
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................\....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33872
                                                                                                                                                                                                                                        Entropy (8bit):6.464430553650891
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:pup+kjcS4GAF7ItpTYbg8lAZnsboXMEpYi60n0y:pi+YoF7Itmbg82sbo176Ty
                                                                                                                                                                                                                                        MD5:70AD333E5F1E224644C269005FA2D71B
                                                                                                                                                                                                                                        SHA1:1E3FD3E37C5A4AF35E8AA9A88E0D4C6A48114EF3
                                                                                                                                                                                                                                        SHA-256:DCC3BACC8AE4841338386E897A28A3B20A1ADF7B95389152390F4A93DFD5BFDC
                                                                                                                                                                                                                                        SHA-512:8FAF111A9B55F2189A4DDC3060ED485036938E0681BF60CF2E8611CA698EB1A90DBACBB2D6729DEACBA4AB09324651B019D75638C28B035B919D41057805DBCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ....................................`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.301325813866528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:myK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+v76U:mykl8tla/nbr1kiBx3vP
                                                                                                                                                                                                                                        MD5:FE98F581483729C0D911BD0C2342F924
                                                                                                                                                                                                                                        SHA1:EAC4DDEDAA515BC476B70CFB9CF9885FFC02D332
                                                                                                                                                                                                                                        SHA-256:945316F7746938D97B136E40F5A04EC71A88AC6D0449D2D62D472F4666848885
                                                                                                                                                                                                                                        SHA-512:BDCF12D0C8A1BAA82ECED4639890E580807D6A11FCD6E0E9CA0129B88628FF8D3A8FE26BDC7C14733B04720163BBD6511E3E759C93A091E8676F056F2E1B83B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......B.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69712
                                                                                                                                                                                                                                        Entropy (8bit):6.223827955087223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:DsDE/e+9cxoZhNyjcMiJSAopUx+ZM76ohkz:gDE2HozNyjcf4o2MTkz
                                                                                                                                                                                                                                        MD5:6E2697DB393D6E8AA67CB5058C78F8B9
                                                                                                                                                                                                                                        SHA1:D9039790C698CF0BAAD4067AA223BC59D99B86CD
                                                                                                                                                                                                                                        SHA-256:E0133F189FC3561BA5308529E78FD212EA16F681BEC8670E51B3473567E259CF
                                                                                                                                                                                                                                        SHA-512:1CCCF23A2D5BDDD98A988FAE9B52EE84B9C7428951BA22988B21197F825EA76FECAB2C0E309272E69C1A9B226B0997E0C0A306E84DC29873B862400963A2CA10
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@......:2....`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64080
                                                                                                                                                                                                                                        Entropy (8bit):6.288018545132408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:k5HPh4EAiOY3m47MHUlIarqNCd4/gZaLstEQDNKTqRLtfYrxcfC8WEpYi60Yj2:k5PhAi33m3UOZsd4IZnuQDLtfjfCG76o
                                                                                                                                                                                                                                        MD5:5B798C46513ABC795D47C034F316C4D6
                                                                                                                                                                                                                                        SHA1:26550D71839DD8BD36DB8B2E20ABF3D9B42D3E77
                                                                                                                                                                                                                                        SHA-256:E265A7EB1DC1A85CC822C826D4D5691EB71F7D70FD06A4F36B6B531192A8FB6C
                                                                                                                                                                                                                                        SHA-512:F8AA5A4D125E3149EBF07ABB9A9CB0F026C35585CEAD385A8FBAA93F42502FCFE91B28B13C058C11A11A52D65C8A0A8C93C18A98A457117904CE28711EDF1D3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.540408498244601
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:b1YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsXNyb8E9VF6IYijSJx:54jUv6iT9jsi8HyeU7LbEpYi60lG
                                                                                                                                                                                                                                        MD5:EFF907D202C8276FAC2E40C6FB05A0B7
                                                                                                                                                                                                                                        SHA1:80B065082AF0D56757CD22192ADCCB093B56392A
                                                                                                                                                                                                                                        SHA-256:7B496A21EBE9EEEAA50D2BF4D7A8E5E4ED44A8E1EDC20E62211EC463855D2833
                                                                                                                                                                                                                                        SHA-512:A4E879E1B74E005650F72B37A6AE1D463927D647EA0869DB155C2C492B26666A44BF577A9C55FCE08834389A0C9954ECA5DC355BDBF370B3084D59F52435D090
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ..............................m.....`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59472
                                                                                                                                                                                                                                        Entropy (8bit):6.331423870898674
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:H7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7E5EpYi604:bJ4V26g1YuuP/2IOef76B
                                                                                                                                                                                                                                        MD5:F871C018EF2B25D9FBDCBC6553565B56
                                                                                                                                                                                                                                        SHA1:4B9A73EB7EF4D9AE38F6C60C917D3D552142C9C4
                                                                                                                                                                                                                                        SHA-256:C632FFBE353493B69C6D1A7B3DE49B99BA53454C0BB6D550AECA01941D37BD68
                                                                                                                                                                                                                                        SHA-512:664AD86077CFE852FF74391DD22B77EBC661A1887B6BFEDB756784433E54B345CE6BFE90F321A513514005332D0D9BE1654EE4EA85337BB165688438ED3FF293
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ............`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21072
                                                                                                                                                                                                                                        Entropy (8bit):6.656390892419785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZzhlvlfTcbY3SCkWJOVMWskNyb8E9VF6IYijSJIVx2aJq2h:zrfTcbY+uEEpYi60T/h
                                                                                                                                                                                                                                        MD5:19104941CD113377E35CCF5135A1843D
                                                                                                                                                                                                                                        SHA1:1923E051D328975BC5EDEB6EF86FA50B1CCF6056
                                                                                                                                                                                                                                        SHA-256:889D30261A9EA753260F72BD561026685D45503849745CC8C25D5B9B3A1F3C5E
                                                                                                                                                                                                                                        SHA-512:FB365CB21D5EC578DB082D58FDFBF7F1D54F318156CB00F2BE872F1902D212B978CE36522C6C72C43D8CA471DB48EDE64378720C5A01662F1F86ACB4250E9DC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ....................................`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.641194802197715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:B3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWspUNyb8E9VF6IYijSJIVxUo0elF:B3hQsE/8irTnfYFr/pUEpYi601nn
                                                                                                                                                                                                                                        MD5:DB9A42C37C2014B7211C8B1ADF138D9D
                                                                                                                                                                                                                                        SHA1:5FED4CC63EA69D11A999F972D38650441023C772
                                                                                                                                                                                                                                        SHA-256:B946DB49D488535D18536DB06BE4F1CA51FF1A2D9B16C3F082F8643A2379E6FF
                                                                                                                                                                                                                                        SHA-512:E080F4543D4B940C45F5E752562626546E0AF5FD07D2C8B344B87A83D67521390368CB048A88439DE4F36C22F2D7087ABDB52CD6902C11AEEE27FEFA4E73C883
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ....................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35408
                                                                                                                                                                                                                                        Entropy (8bit):6.575755204796465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWs1Nyb8E9VM:LDhbJ5nR02TQCWoJ92REpYi60Kk6
                                                                                                                                                                                                                                        MD5:3991CE21FDAF6242736D350CFF3DC68F
                                                                                                                                                                                                                                        SHA1:042C5A56BE96744D3095F9C41B6DFF7D7EE0121F
                                                                                                                                                                                                                                        SHA-256:D127E3F78779D0E387E974CE196398F92BDAF232C8CDE0FFADE87619BAD7B2F8
                                                                                                                                                                                                                                        SHA-512:3DB24ADB02EC97397FCD1125E8BCC69E27CA9456BE7082FA4C5063E1D5BC77ED435F9C8E2FA4E1D561A11FC715AF143D72228388D7295370C9DE0A0B4109FEEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48208
                                                                                                                                                                                                                                        Entropy (8bit):6.410791336032204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:17d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxtEpYi60p7uh:17d42LfKy3SKKKKr8keqBdd0UFE76Jh
                                                                                                                                                                                                                                        MD5:9EDB59E26F2E2B161437BE30E12D1BA5
                                                                                                                                                                                                                                        SHA1:68A9538F0207FD95F538DC6BC98500B577CA4263
                                                                                                                                                                                                                                        SHA-256:79C7D9C74FDABB58C6355DDF98A842547CE8EE42E01191FB4A12BDAE8ADA5AD6
                                                                                                                                                                                                                                        SHA-512:DE2CAE46848949BE67BF1D1C96534F873C080A118ED3D059927440DCB4CD864944DF567AD63DC9804E92ED5B9AE9ACDC62D9CBE82A6319EA633568F4DF0DB1D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ...............................M....`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24144
                                                                                                                                                                                                                                        Entropy (8bit):6.629489538581648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zy1x30dJaeTP8pBT7xe3SUDtzWzK0Ws0Nyb8E9VF6IYijSJIVx61mx4GWR:zq/eTeABdW0EpYi60a24x
                                                                                                                                                                                                                                        MD5:B79DE0C189657DC7695959CC7F723B31
                                                                                                                                                                                                                                        SHA1:B95CAE2523413CD5E98D08B6BF40CD6B1AE30BB9
                                                                                                                                                                                                                                        SHA-256:A75961BB014A0283BD150247EEC925CA0D2717E1FDF27262C421AB214278830E
                                                                                                                                                                                                                                        SHA-512:2B2F74E85682029B6D6E7F918E4CBF159E1E2D1764B04BBB57E3A83EFB38C94EA82F9EA6E3680C24F1466CEFB89F0990E792F62617EDB7D39DFB28D57393CA7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................8x....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61520
                                                                                                                                                                                                                                        Entropy (8bit):6.347288911250665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Wg+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4fEpYi60k7M:Wg+uGuV+1mbaqvy9OfLKMS4Y76K
                                                                                                                                                                                                                                        MD5:3D389341072F7E3007CBAF89BE2CEE07
                                                                                                                                                                                                                                        SHA1:955F0CD9BE38B30430CBE1C679B6D9F8BEE2D6F5
                                                                                                                                                                                                                                        SHA-256:CA3E34116E3425D94ABF9C11C53C64DE61A4C9B59382E31846552B7067BE2041
                                                                                                                                                                                                                                        SHA-512:1F3FBC2C7EABC68336F76136CF5FB9C8FB3C52E586B082C555CD128E0424E0A566B6CC29CC38BF5470460500D7190E13AA9ADC57D33AD53EE1AD1BF07C59A07E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ......G.....`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.372478146658094
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:NKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw3EpYi602p:Jd8hMfHuXbIkOP7ym3jZ/uiCRgrJ76f
                                                                                                                                                                                                                                        MD5:BD3A0337F0C30918BDC188857D425C74
                                                                                                                                                                                                                                        SHA1:872EE96948F18F238C11EE675288A7D49015AD55
                                                                                                                                                                                                                                        SHA-256:4DA12341EEA412DE444F0CB5D534FA9D3552778922D4165D47D697917EA9BEFD
                                                                                                                                                                                                                                        SHA-512:F71FBD9D25D5C560F45A41491226461F6CB842A9385071F8CDB99E8BB7264355671A06A50ABCCB1D59F8F31B32AA015897279ED8FEFBD58E7D9739DE77452C94
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):345168
                                                                                                                                                                                                                                        Entropy (8bit):6.141653165126045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qpc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weR:LpTCqAn+fnw5h9hdls+IZTWc8
                                                                                                                                                                                                                                        MD5:8AD62152C774F9E5E863647986176CEC
                                                                                                                                                                                                                                        SHA1:CBFD226349772DE4A7BD1A397B9A197DA5EF17DB
                                                                                                                                                                                                                                        SHA-256:FBB92409C4C7FC62934E0EAA2B7B9D9B3FC166EEAB22100BEDDACE141A90E14C
                                                                                                                                                                                                                                        SHA-512:BAB680BAAA50CB5E828BB06FFDEA52BC0F648F206416AFC15E06B3577713950473E7D67699E20AE8A832AB90607C5CFBC10335FC98CF591C1DFA00A18023BA09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710736
                                                                                                                                                                                                                                        Entropy (8bit):5.954096125476881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:OFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDM6:CzMTMNNd+g5Wk78GBBjgrIQtDt
                                                                                                                                                                                                                                        MD5:0F2FCE599017F8E46AB778CE1BE8CEEC
                                                                                                                                                                                                                                        SHA1:DEE6ED88C5E2E6CD3C247A0A2C6AA2232D84AE1D
                                                                                                                                                                                                                                        SHA-256:0C99EA300932D53DBB69BE97A76BBF6249DE62F98307661747739738602EE66A
                                                                                                                                                                                                                                        SHA-512:98C517BAB3D7FA4DE0AE888137C741DC25CF48503D4610C3B7F1D9BAE948BE2054BFF708398C02688BF793F2F8F9B2A5C8A8BAD41E2CBD2DFF76384592459BAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285776
                                                                                                                                                                                                                                        Entropy (8bit):6.198246078607741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcOY:5MZpj06vUsMjbQ77D+w
                                                                                                                                                                                                                                        MD5:DE269EBB2341B2C8FBC1867929486CA3
                                                                                                                                                                                                                                        SHA1:8FFA56B29C1BF1D710EF28BB09FC1E5F61355BC7
                                                                                                                                                                                                                                        SHA-256:5E6E72C150F55DFFD43A42CF6674895734971C8EC761DE639DFBA575B82403B8
                                                                                                                                                                                                                                        SHA-512:43CF7760C7AD945277EAF9F075F3807B0222AEC4B440FDD3FCC8DECD56C74EF3E71953418ABEFA2F5C55314F397A68F20807235B09CDE5C8E36E0C3AC1AC6698
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................G....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38992
                                                                                                                                                                                                                                        Entropy (8bit):6.293140443991646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ydfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIdU:yxuJRRsnHnyhQupytM9z7O3zfXYvj8r/
                                                                                                                                                                                                                                        MD5:7375A255242837552CD21BCFF925B0A4
                                                                                                                                                                                                                                        SHA1:60EC69A8DDFD76EEE9CF8FB9CED5ED5EE899AA5A
                                                                                                                                                                                                                                        SHA-256:C83CFA4CC990CB769A7B7FEF91625D8521670465819BB462166B3BD5F938491B
                                                                                                                                                                                                                                        SHA-512:196A9FC65340A4DA2EEE47A7EE40C0061AE6681CE05EE54E476E101A4A2F806199CD78EE08707D6A9CF79B5006FF2B21226BB5FCFDFBD83805C6BAF896A038A9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.552018898582154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYhNyb8E9VF6IYijSJIVxKtKu:pSCZUl2O1zCnXyzDeEpYi60kf
                                                                                                                                                                                                                                        MD5:1D8206B4D0D1BD662025D28CA5A46E58
                                                                                                                                                                                                                                        SHA1:88524C086E4DBD6625FACA3DD4B53B2491084111
                                                                                                                                                                                                                                        SHA-256:447D1CC45EE11F2DD755B4F54DCF3F5903429C11029FC48CEDC1B85E4F28B78D
                                                                                                                                                                                                                                        SHA-512:31A94DDAE20FD48A282A5C8DA8ED7B97D5A83DEBF6CF89AE91FE267D0095022F3CCB54EBBCA6EB85E82E57DB7521B2702FFF0BF10AF043BEE76987DCC6A35979
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ...............................}....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):41552
                                                                                                                                                                                                                                        Entropy (8bit):6.317883878515866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+3UqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BCEpYi60+:XLrgfPw3mXREaD76v
                                                                                                                                                                                                                                        MD5:142B51D1CB3F8220FE69404159703BE2
                                                                                                                                                                                                                                        SHA1:B69B8678B08F5674C533B728A895FDBE9F0E051F
                                                                                                                                                                                                                                        SHA-256:96811558375D8C94A486D0C604BB8299CBD484CBE7985600F403D5D884B1A8AA
                                                                                                                                                                                                                                        SHA-512:4BE4FB76CB05CD872B3CFD829DD08D00F5567D331479A3134A3A60AD5879DD21382CC794551E7F75C1AE85632018EF5E46AF59DF577EAF3CEA36C61F74894860
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ....................................`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138320
                                                                                                                                                                                                                                        Entropy (8bit):6.15934663093023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDt4NO:cbKKz1UeZk/Phv8lDuPaV
                                                                                                                                                                                                                                        MD5:E465521C59C11C51738CC4174E8FCC68
                                                                                                                                                                                                                                        SHA1:C782E51D40FE696A2E4E5314CFC46A071A409BBF
                                                                                                                                                                                                                                        SHA-256:B387C5C612C559DE5EA70D873BED490CA3FBE40073E73F0EAD5E2FFD09C3642D
                                                                                                                                                                                                                                        SHA-512:F9C269801D26E67235ACD30B2655F3E5A71FA58D617D503242933E374447726A93007AE3AE97F835BB7539A9169E2EF6192815D866F1383D4EAF41CD3FD96016
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......k~....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150096
                                                                                                                                                                                                                                        Entropy (8bit):6.237726048640069
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:O0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krTe:907iSqSnkMDjy2
                                                                                                                                                                                                                                        MD5:C62817B604D61C7713A7E653F31A85A2
                                                                                                                                                                                                                                        SHA1:5076C010961D64C70E20A8E0B1264DE862F1A002
                                                                                                                                                                                                                                        SHA-256:1D4F20AB1FFD4CE57C198F8851671061E06513416FB3764607A9D63EFA693891
                                                                                                                                                                                                                                        SHA-512:4554475857586EC327EE561DACE31D83F4E328E1F4D38D5F9AA3EA15A51A46508EE19F44BE534F0D09D633B786AFF2499B7A74CEB4DCF32D2A91EFEECE829616
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ....................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52816
                                                                                                                                                                                                                                        Entropy (8bit):6.178562116222838
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:etgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlHEpYi60CV:eiprEfsOuD0hhji6DrLbAg76VV
                                                                                                                                                                                                                                        MD5:B60300F33BC14227755C9DA5A088ECD4
                                                                                                                                                                                                                                        SHA1:33D67AF11511813084E18AF7239D10BE4FEABB52
                                                                                                                                                                                                                                        SHA-256:920B101208961328406331DAAF2E579FCA8F10755854BE935DC9E87F9714F39D
                                                                                                                                                                                                                                        SHA-512:61A108811E3B6E1FBDF481C6842A56836CF61F9A13A745D0108A5D222451B43BF955D9F454BDD0D66A8F1D429348415F478D30E44EC83822EAEA3F9DD1C0D377
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ..............................;.....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.560006548424685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                                                                                                                                        MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                                                                                                                                        SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                                                                                                                                        SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                                                                                                                                        SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.43329064965383
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                                                                                                                                        MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                                                                                                                                        SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                                                                                                                                        SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                                                                                                                                        SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.581775279455886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                                                                                                                                        MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                                                                                                                                        SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                                                                                                                                        SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                                                                                                                                        SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.368843686720491
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                                                                                                                                        MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                                                                                                                                        SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                                                                                                                                        SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                                                                                                                                        SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.593201257102684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                                                                                                                                        MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                                                                                                                                        SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                                                                                                                                        SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                                                                                                                                        SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.84740063117937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                                                                                                                                        MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                                                                                                                                        SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                                                                                                                                        SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                                                                                                                                        SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71312
                                                                                                                                                                                                                                        Entropy (8bit):6.106692533939604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                                                                                                                                                        MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                                                                                                                                                        SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                                                                                                                                                        SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                                                                                                                                                        SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):801048
                                                                                                                                                                                                                                        Entropy (8bit):1.7800450887072108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                                                                                                                                        MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                                                                                                                                        SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                                                                                                                                        SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                                                                                                                                        SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159904
                                                                                                                                                                                                                                        Entropy (8bit):6.097873216527841
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                                                                                                                                                        MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                                                                                                                                                        SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                                                                                                                                                        SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                                                                                                                                                        SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86816
                                                                                                                                                                                                                                        Entropy (8bit):6.013720216920584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                                                                                                                                                        MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                                                                                                                                                        SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                                                                                                                                                        SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                                                                                                                                                        SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1152141
                                                                                                                                                                                                                                        Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                        MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                        SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                        SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                        SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                        MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                        SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                        SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                        SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1782
                                                                                                                                                                                                                                        Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                        MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                        SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                        SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                        SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                        MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                        SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                        SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                        SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=6.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95792
                                                                                                                                                                                                                                        Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                        MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                        SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                        SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                        SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                        MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                        SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                        SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                        SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                        MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                        SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                        SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                        SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                        MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                        SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                        SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                        SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                        MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                        SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                        SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                        SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                        MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                        SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                        SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                        SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                        MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                        SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                        SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                        SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                        MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                        SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                        SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                        SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                        MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                        SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                        SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                        SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                        MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                        SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                        SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                        SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                        MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                        SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                        SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                        SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                        MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                        SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                        SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                        SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384543
                                                                                                                                                                                                                                        Entropy (8bit):7.999457129580227
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:QCkHWMIRwZL7gsOTLQezyUyt6ywEYUxa5FDW8mWalWh6Nxjuq0xn57/EMpx4Ip7/:x4j1ZXgsO3dU61Oa3a8O50VF/R7pwvgZ
                                                                                                                                                                                                                                        MD5:3C93B399B417B0D6A232D386E65A8B46
                                                                                                                                                                                                                                        SHA1:BB26DEAE135F405229D6F76EB6FAAEB9A3C45624
                                                                                                                                                                                                                                        SHA-256:29BC4577588116CBFEA928B2587DB3D0D26254163095E7FBBCDE6E86FD0022D7
                                                                                                                                                                                                                                        SHA-512:A963F5CF2221436938F031B65079BEA7C4BAFBD48833A9E11CD9BDD1548D68ED968D9279299AA2ADFC23311A6744D516CC50E6537AA45321E5653755ED56F149
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....qF=Y..t.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0...................$A...?..K.*...{K...>3..y..m..7.|.....l4._.>.G..............}.p.........@....q...2T_.1^|..;.V.(V.:...F|.{.oX.......>....8.]QK.r]3}..h....l.d.z......WI..dG.d..{>.CM.....9/j..a....f.qF...X.}a.t........%n.+..I..-Xa..7..d.D..0...L.K....i"..Z.....~.~....._..{p*......+v,.K..F.X.|;"..!d......So'.f.o.......^.A.........c......|315....o.oRU..#.....R..h..[.":i..+8}...E:..!.M...Th%O;.dX.qK2.....9TD...Nt.J...."..$..k..k.'&I.p ...h.d......Z.3~...]~.B...}...~.(:U....=r<)...,...+.$...i=...1I.]....4Z..'...&..R......R.sW.?../.k....USg........o.....[......U......e..V...jG.Y.....v2...ph.L..3..n.!..... ..W."...cJ./.`..Lr..l.b..'.N^@....,D.y.....i._....@....M..)u-C.R..3"....C.iV/..|..c....$_..Uj.....^.R...*5......O........6*qw..G5.+.\.1..... .X...f..H._S.....b..HY>.GJ..}.,Fj...*.!...,(.j!.Od...&.....`.[.y.1*...$...a.8.j#9.Q...y..E.S.rQ*.2O.;.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):177712
                                                                                                                                                                                                                                        Entropy (8bit):5.81549541154566
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:fDpvOyLSson7aezB53Pbsk4GJCMA1TSuAehsZ7f2lz8/ChoCby:fD4y07asBx4krGSeCZXH
                                                                                                                                                                                                                                        MD5:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        SHA1:F135BE75C721AF2D5291CB463CBC22A32467084A
                                                                                                                                                                                                                                        SHA-256:36704967877E4117405BDE5EC30BEAF31E7492166714F3FFB2CEB262BF2FB571
                                                                                                                                                                                                                                        SHA-512:BD654388202CB5090C860A7229950B1184620746F4C584AB864EADE831168BC7FAE0B5E59B90165B1A9E4BA2BD154F235749718AE2DF35D3DD10403092185ED1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0................. ........@.. ....................................`.....................................O.......................0(..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWRn:WY
                                                                                                                                                                                                                                        MD5:DC63026E80D2BB04F71E41916F807E33
                                                                                                                                                                                                                                        SHA1:6CDA386D2C365F94EA3DE41E2390FD916622EB51
                                                                                                                                                                                                                                        SHA-256:3B54D00F00AA80384DE88E4F4005E9D4D889A2CCF64B56E0C29D274352495C85
                                                                                                                                                                                                                                        SHA-512:61DA550EFD55187978872F5D8E88164A6181A11C8A720684EAA737E0846FE20B9E82B73E1F689A6585834B84C4CEE8DD949AF43E76FD0158F6CAFA704AB25183
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.180547422449922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:vJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw0h:vQUm2H5KTfOLgxFJjE50vksVUfPvC1h
                                                                                                                                                                                                                                        MD5:9D8B5941EA5B905E8197A175EF2B15A9
                                                                                                                                                                                                                                        SHA1:86A078E94B5578EC4125F50F78C8518A8CE1D086
                                                                                                                                                                                                                                        SHA-256:C6F05B647DBADC15AB97D31790FC8ACE054986EC33E9178FEEAD4235AD15CB0D
                                                                                                                                                                                                                                        SHA-512:FAB5FE82873862CE8ED1A427482093CCA307F6663E9F6497FDC244CE461312872D419FF274CDCA0C496414C28681901F335C9911B95D2A7C112D30E32D74E498
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ...............................C....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704560
                                                                                                                                                                                                                                        Entropy (8bit):5.954116173285503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:i9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc33:i8m657w6ZBLmkitKqBCjC0PDgM5H
                                                                                                                                                                                                                                        MD5:BA66874C510645C1FB5FE74F85B32E98
                                                                                                                                                                                                                                        SHA1:E33C7E6991A25CC40D9E0DCC260B5A27F4A34E6C
                                                                                                                                                                                                                                        SHA-256:12D64550CB536A067D8AFFF42864836F6D41566E18F46D3CA92CB68726BDD4E9
                                                                                                                                                                                                                                        SHA-512:44E8CAA916AB98DA36AF02B84AC944FBF0A65C80B0ADBDC1A087F8ED3EFF71C750FB6116F2C12034F9F9B429D6915DB8F88511B79507CC4D063BAB40C4EAA568
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................E....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.63763104121011
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKC+4MsShLP6SX9NfzyShaKf0OWZGShaKf0Od:M4qBX9Nf1WDd
                                                                                                                                                                                                                                        MD5:EA5947DE4CB4E76E53AD2602DAA7B54D
                                                                                                                                                                                                                                        SHA1:33BE794E2C4F2F9A1EAD06E4D0974B8B4EF939D3
                                                                                                                                                                                                                                        SHA-256:5214DB4189732687353258872C5AE5626FE055ED4005CAF16C35152A34685A30
                                                                                                                                                                                                                                        SHA-512:54824FA09426027B08D165FC21F258706B1A6B3B30386339D67B0B684CF531F0933192FC9A4F174409BDF3F9FFE589BF93369F1F693D5C4E347C108BE730DC4B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=37.9.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]..............g}n....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.840156860408859
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ZPmXDNTXsnaUQ0:ZPgpT8no0
                                                                                                                                                                                                                                        MD5:41212D918D4D4D685854F13D87A19004
                                                                                                                                                                                                                                        SHA1:624A7C1912EB8DAB2C2CC1A47ADEAD459D1A4F9E
                                                                                                                                                                                                                                        SHA-256:451F80F21468CBE37BF1F7FC582D369F5802D5BAD479A283734E02B206905D75
                                                                                                                                                                                                                                        SHA-512:6E15FF7699378EE98B575B0F27E9D2F9798651C906F5316FD2A7B5DA46F005A42DC36733F385E7F2A5A92CA68BB0F2734D8824E095DC10CE9C9B8CE680FD6BB7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.05FEBBCC429F1530BCA2ACC6B381322A

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                        MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                        SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                        SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                        SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1246506
                                                                                                                                                                                                                                        Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                        MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                        SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                        SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                        SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37936
                                                                                                                                                                                                                                        Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                        MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                        SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                        SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                        SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295
                                                                                                                                                                                                                                        Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                        MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                        SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                        SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                        SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                        MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                        SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                        SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                        SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                        MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                        SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                        SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                        SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                        MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                        SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                        SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                        SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                        MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                        SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                        SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                        SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511091364285
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:m1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ0:m1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:1A5AE803BFFDEBA6B4D9825233D1C23C
                                                                                                                                                                                                                                        SHA1:E324D9B2F417F46FE3364658429B620BC5942322
                                                                                                                                                                                                                                        SHA-256:2BED7E5890D572E41770C422C25CF11F0D3C2D170C5F38F8EB1535E1A3E614C6
                                                                                                                                                                                                                                        SHA-512:D8DCB1E227AD001A2F43C9847E0A22D43DBE7021814AB88DBD168092A3C172D17CB69848F743166E755DB771B55025664C0E53580B9E48252B1581AD281E332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................q....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):702512
                                                                                                                                                                                                                                        Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                        MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                        SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                        SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                        SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285744
                                                                                                                                                                                                                                        Entropy (8bit):6.190004154231823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPngH:uZeZ6ANRIru9/pcMkoKV64SrWA
                                                                                                                                                                                                                                        MD5:2CD03F275D3BB90B106632F203DCAF64
                                                                                                                                                                                                                                        SHA1:025C716D6B123FA03DC9F97D4BF77D4AF20B75AE
                                                                                                                                                                                                                                        SHA-256:B90619EBE88644BDA995505BDE5D5E282403E27FF7A55E273CC2FF9ACC88300A
                                                                                                                                                                                                                                        SHA-512:321660D33F6126077D4DC04AFBB341B9D46D07E2B38CF45F1C7B2C8B60A58A3F008390EE6F8B6995BECF4B0EADF66C9263D4BE67C8269F9A0851207650B9632D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ....................................`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117448325022863
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH9:Bgo0WPVTXgd
                                                                                                                                                                                                                                        MD5:BF59A9BBF620C0F06ED79180C868FCE0
                                                                                                                                                                                                                                        SHA1:2E8F9EF7A105A951790344A3B9ADC61DB35ABAAD
                                                                                                                                                                                                                                        SHA-256:CEBDB552DAC9E136F87E37A461B7683934F00AA2A74FBA15BC53ADFA38F1B79E
                                                                                                                                                                                                                                        SHA-512:C472376BD7A0E532CB8FDDA7ADDB00FB973D30F97368460929E8352C16BCB17EA92264C81E1E1E084566172ECE3D1513073D24B01990A808335D0C040039C6D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................\.....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678227546122444
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Xy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqq/dW:XuhMaVmzDC67EpYinAMxCwk
                                                                                                                                                                                                                                        MD5:181F16CCEBD4B02ACE42A02CC536ACA9
                                                                                                                                                                                                                                        SHA1:84795DA0255E288C96AC64F1C8150E81E0289FFD
                                                                                                                                                                                                                                        SHA-256:80582DBDE89A6D9906721AD27562C7B2BEDE7048E4D461828D3BA2C4438E58E9
                                                                                                                                                                                                                                        SHA-512:73F93A3F4538FCE421A453B5A90AC662CC58D5A846AFECB8E337F33A1D643A81C8D02F5F3AECAE4CF00828A3103C63614F086E92ABD262317B13CF608784D72A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.235108733243218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWC:bzpjF0/t043e3vggr83jMYa/hU7HxVJU
                                                                                                                                                                                                                                        MD5:30BD9DF0841299E8FA11340B83A441B0
                                                                                                                                                                                                                                        SHA1:36447785062CB3DFDF9A1E03548EFD348760458F
                                                                                                                                                                                                                                        SHA-256:801BB92AA7A8840148FE548ECE4B7291C0E4FA73712FE2497074C925ECC906B9
                                                                                                                                                                                                                                        SHA-512:830B821EE5BF401A6B95662EE191FC8BF08BF64D4D8BFBDB0E142D303AB241C41C4134883C0851B4D5DAF49F598454CE33595787C7084B4F9504794D9B07E54B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179673461309118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ily:Mh0qjC5RMOHO420kN1Z
                                                                                                                                                                                                                                        MD5:37C069A058DC803C83C43DF6681907DA
                                                                                                                                                                                                                                        SHA1:ED522080452C472560A74F4B979BDC5CFE1643E7
                                                                                                                                                                                                                                        SHA-256:9CD89ED91343ABF19DEF9EE1809AC28765EB3D63E5597583D3D183156D8B3C62
                                                                                                                                                                                                                                        SHA-512:1F38E4153FBFF9C996C3348A325AC3E9B43118D97F5E51B1099D09C61BFC4D772ADE110603D479403317AD76AD42F494E55A58E278F825EFBFA6E1ABEE246929
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......!.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.674524887219165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBr882HW:Hy9eEpYinAMxCAT2HW
                                                                                                                                                                                                                                        MD5:3D126403FBA7BC6FAC6E6ABF5FCE09E8
                                                                                                                                                                                                                                        SHA1:70B60D649EB174C109C0A6DC873444473D956694
                                                                                                                                                                                                                                        SHA-256:D2B815734C2683E7759DEEA3019FCD2B19F5B879CFA3BA02620619DBCAF73E38
                                                                                                                                                                                                                                        SHA-512:BC0D56E79471051228DB678AC686BE96BEA6697C2376AE28574EDBAD52CF827AE720A7F733B6FE96B2757610771137B6E6A6CF86B787128136D17B232F09569D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................R.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.335679732582514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCF:QnvXYcIh6yFIFBYpc47HxG
                                                                                                                                                                                                                                        MD5:14C4B9D7E63166E65ECCD9A74A55BC4A
                                                                                                                                                                                                                                        SHA1:C1F849748FBC76EC9BF9BF934135860242CE1928
                                                                                                                                                                                                                                        SHA-256:83BBFBEDA8EFB1745ECDDBEE0FB16ECAE1E6524461FE075B90C700E34C78498F
                                                                                                                                                                                                                                        SHA-512:C2774C72B62148FFFF05B2714F4720D212F52F740812D307D683D66709D77FD06F325A4DB25D952B9B2CCA5A1DD60CEDFCBFB6420FA5CE1A81B9D711395671A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.95485496879401
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRY:67N1r9KGI04CCARLY
                                                                                                                                                                                                                                        MD5:B742B57BE990E57E0D079CFAF918E086
                                                                                                                                                                                                                                        SHA1:00652CB0AD4ABCE039397AF2308B2D6D251A2B09
                                                                                                                                                                                                                                        SHA-256:8929394DD35DBF2592AAE46E1063D38D782122F2A7F6A0248A754817E4394823
                                                                                                                                                                                                                                        SHA-512:2CD15A7F0626AD3BBA10431AEEFEDE1A195987BA609EC01A51083EEEF11DA516FF4D0678451372106A27A66E013A1012FB00E74CB4F4125C7F451559DE326908
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......4T....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585766
                                                                                                                                                                                                                                        Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                        MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                        SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                        SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                        SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398384
                                                                                                                                                                                                                                        Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                        MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                        SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                        SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                        MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                        SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                        SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                        SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                        MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                        SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                        SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                        SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                        MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                        SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                        SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                        SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                        MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                        SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                        SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                        SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                        MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                        SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                        SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                        SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                        MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                        SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                        SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                        SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                        SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                        SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                        SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                        MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                        SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                        SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                        SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                        SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                        SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                        SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                        MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                        SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                        SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                        SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                        MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                        SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                        SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                        SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                        MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                        SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                        SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                        SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                        MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                        SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                        SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                        SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                        MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                        SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                        SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                        SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                        MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                        SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                        SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                        SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                        MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                        SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                        SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                        SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                        MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                        SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                        SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                        SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                        MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                        SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                        SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                        SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                        MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                        SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                        SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                        SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                        MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                        SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                        SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                        SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9019817279948473
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:2u5C4OoNSN1eN+5Nm6ZDzWL8OO7QzyO+p:D5PsveM55tzy8OO7QzyO+p
                                                                                                                                                                                                                                        MD5:F8B01C1F76FC895BEE1E50FFFB8EF791
                                                                                                                                                                                                                                        SHA1:01469E0233BDC8C1E773FA38F9A241DE68D3CB2B
                                                                                                                                                                                                                                        SHA-256:69F292FF60A7F0B7B7ACE5CAD1DF7EA78F01D171159B2C8A30A9E58E6D3CB89B
                                                                                                                                                                                                                                        SHA-512:11A72B419E065328515BB05D5B80D1D57FBA8D770B8D8FEF06D980AAF732BF17CE22ABC13AC6129B9B24656752D67F0FD21A2084429F6520770111D9E6F0D7AC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12824
                                                                                                                                                                                                                                        Entropy (8bit):1.3802955169521118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MNqcFu5C4OZUlFJNGdNGveXXQXN+5NG1Z/:7Q/u5C4OoNSN1eN+5Nm/
                                                                                                                                                                                                                                        MD5:9545F62362BABC0E7D373C04A9525C58
                                                                                                                                                                                                                                        SHA1:9B6E3088240409D0BE39B3261A275DE5F88FD52F
                                                                                                                                                                                                                                        SHA-256:91ADA90877AC138696A1FEC50264503ADBCF7436FF05221F4E41E16F0ED9F9CA
                                                                                                                                                                                                                                        SHA-512:ED2C5F8460A61F82EEFC15D4D8F987F5ADE19025A1BF2A25628E96567E8A7E7C6ED962FE60D12A9EBA4DE41013BD711E6AC43E00F463349B672BE4ADF4BD6567
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.....-.h.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                        MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                        SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                        SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                        SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                        MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                        SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                        SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                        SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2950153
                                                                                                                                                                                                                                        Entropy (8bit):7.9987653712188695
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:sIiDtH34v82VnTxK+JeWJi+F70HLFkIZgblvk/QcMEisjQhmC:WI0W0+J9o+V0rFkMgdAQcMEDC
                                                                                                                                                                                                                                        MD5:91453D3E1E2BC9586CF5495073FB3CF7
                                                                                                                                                                                                                                        SHA1:09CFA9DC27545FB600DD7A60E44258C511EB43C4
                                                                                                                                                                                                                                        SHA-256:5D398C6CE0636EADD4B7F6920DBD6127388F698E9BC1A440CB7DB3992ACB6557
                                                                                                                                                                                                                                        SHA-512:462D59453ED01D8DDF54E06319AAEFC0AB5EF70ED7B0A45FFD4D3F049692044ACF0DEE3599173E58A4C281BC69AF63D8B64F9586A1B2F04991ADFA6747F19BDC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......z[Y...1........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r.......>.......~.}..V..)...i...?...Br......~...x.+W..$....S...,g.m...K:-.E..L[..Z....8~.i.!..+B.....U....~{.x..`...Z\z....16g....'..(.-.....T........e.......D...C..._.-...1...n....."C....V..?D.<........W.....7.x.v.6..fZo..Bl........'..B....[CP.m.X@....KX.#.\..........-;...&...m#._.....0T<.....K..9..3.._....v.m....I.Ez......\..Z..:d.:..eY...e.rS..*..#.JJ5W&!n@v.;.......@.,......G.[.|..<.=\.JW...."1.............<3A...B........f.x...R.W.XS\2.p....U.[.W..h.?AE!..?...>.c.....H<..+..u.~./..:..:....yr.....T..\.5..\D.{..M..1.4../....L..3....|W.J........6..z....0Z.....@S..P.N4....D[........1....g@$.....f........Pfb2.:.n...B...!..+.%F..^.f...F..^..i.W.3j*.}...G.h.Lg...}C....7e....v..l..Y.&....S.J{KqQ.}J.U.....`.w......t.>>~..f._..Fx..:.4.z.wvK9.$H........|.......|.`)..n.'.A....'....gD..."|.+<q7S......f%..oP8....A..RC....._2an.X..Q...H.Rx..^9$+.1...c/Q.p1.....!......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.341508215009247
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NpYIrVWGYPHEUePsnhkgGIW7W8feKWDpQ6bo2dNyb8E9VF6IYijSJIVx+W8W:zTrVL3Ue0FSTuVbo2ZEpYi604W
                                                                                                                                                                                                                                        MD5:F9E96C557C427EF212A849BE49F7FC26
                                                                                                                                                                                                                                        SHA1:B2065BAEB817946470EEDBD2DB3AB73E169BD4D5
                                                                                                                                                                                                                                        SHA-256:701D183ED3150DCD35A601360241AB54C68B54B0AD80EDFA34569746EC76A275
                                                                                                                                                                                                                                        SHA-512:4B9A4670665EC93557A3F201995113D0609767B4E0AA105AC1F1CE5AF6262F91FA6F7212C735181A369BD770F66CD7F5D0D2E61B54C1428D9164A7996413D02E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..@...........^... ...`....... ...............................s....`.................................=^..O....`...............J..((...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................q^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200744
                                                                                                                                                                                                                                        Entropy (8bit):5.749226305007416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:w6+fUrAluLy/Dy23JLbcc0FIE9cAT2tl/g2rPdniqiTjXLRgiV12:XbrZb23JLbcBFIB/JLFiqiTjbRG
                                                                                                                                                                                                                                        MD5:5F782D0CB0F717AE9DFD1B4DA1295F15
                                                                                                                                                                                                                                        SHA1:B33575E428E19940F0585C747E054CA70A12D454
                                                                                                                                                                                                                                        SHA-256:0F233BD5FE96CF5F7EFEA0FA0634F98C37A3A095F72ACC79A3544590BF228B43
                                                                                                                                                                                                                                        SHA-512:E373BE20E06F31F81A8C0368E8FBEE0BD7E98095A6E1F85ECB8969A35CAF32E22194E2448DE9213BB86478F454E708363EA6AB990648422B57F057A0516959ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]............"...0.................. ........@.. .......................@.......U....`.................................C...O.......4...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B................w.......H............$............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXVLU:WBVg
                                                                                                                                                                                                                                        MD5:98BC1C91690FAAB486632504B4053AE5
                                                                                                                                                                                                                                        SHA1:CA53F1C78C8300A9081FB8B32CF12A326F4C0867
                                                                                                                                                                                                                                        SHA-256:2E15A9CA4C56145F6E9E57F0A2AFB1435EE2C26DB84157812EB81C87911D2744
                                                                                                                                                                                                                                        SHA-512:FD3E660B69D987F4F56E3C73569AA73E25DEA8D4B7FB33A8D118CEC6CC7470D36D3A01F00B88E971D01A7901890DDA227BAE8068FBBCD5C5067CFDACDD0DA7F3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=20.1

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102440
                                                                                                                                                                                                                                        Entropy (8bit):6.190075678943392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:2PAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476wy:22bYbYSWd85I5sSakFQhHLv4E
                                                                                                                                                                                                                                        MD5:3B4C86E80369670261C68D1F5BB2AFC9
                                                                                                                                                                                                                                        SHA1:E77E028D8DBF603B8F41ACD2F2D75E4A57645FE1
                                                                                                                                                                                                                                        SHA-256:D2B782810BA8D8608BDCA858C44DDFDF3FC10C50F7732FA85D3A7F00CB624648
                                                                                                                                                                                                                                        SHA-512:983C50BFF6A88F732CC4F0790DB04CE2881F2FC80D5E8D8F793FBB961301F47B6DB722375603862D3E7CDB081C49CA5723E2449260D4286B3E9BD72D85A0F91E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95272
                                                                                                                                                                                                                                        Entropy (8bit):5.99620286041089
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:v4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766V:v4auS7S5Ea6WMcpuUB3
                                                                                                                                                                                                                                        MD5:BB307C07EBBB496EAE96F971B64A21BF
                                                                                                                                                                                                                                        SHA1:09A19DA0FBEB2CC3CBF081F554A7D42DC2894E26
                                                                                                                                                                                                                                        SHA-256:DFE846B759B22879C93220E28E0DEAD32971844B3EC92DCD4700E0E3FBEC96A0
                                                                                                                                                                                                                                        SHA-512:0E35ACF658CE98EFAFD4BD0DA4BE4860B77D84771646D295569F6EF689293205D9BAF858E29EB00D11C815490A12A65DA5A41C855E965035D084029739D235F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ....................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.655242412887192
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cXh+tY2jNyb8E9VF6IYijSJIVxaFHCcfj:cX862/EpYi600ic7
                                                                                                                                                                                                                                        MD5:BFEAD9EBEF84B6E54BD57D5E69EDCA31
                                                                                                                                                                                                                                        SHA1:92111F77D5775B3EF3A1AADCC1DB5F46A1954A6E
                                                                                                                                                                                                                                        SHA-256:D8D1E6308003DE036BB70B21F75AF7CA75F09ADD46BA61708C3A0802592C61D8
                                                                                                                                                                                                                                        SHA-512:3CCDA8E0095B65721C5054402245C0D52C323B94D2FD9E61FE04A812E278872D2BAF896E842794E14CF7ED86C1B33A5E0EE2D223CDF75ACB4DA7CFDFEAA9729A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ...............................}....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75304
                                                                                                                                                                                                                                        Entropy (8bit):6.240768510010967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYP:AF+qo7mDEwj4NXLGcfgruFcaD76j9s
                                                                                                                                                                                                                                        MD5:6D7FC33F2CBAA36AC49A0E59BDAB72AB
                                                                                                                                                                                                                                        SHA1:E2A77AA1C979C0BE322BA0A56D13558DB3A1C903
                                                                                                                                                                                                                                        SHA-256:DF56F140B50A1319F578FE9EDC6C4ED377E519A30DFC2A2D53A241F30C83FE3A
                                                                                                                                                                                                                                        SHA-512:C20A2188301F1D73327142DBD36C1FAC62116E034B0A49F5D4C23AD942F8642A2FFD1976B0B249B0C0011B04339F912847B381309C94605984BC4EB73D514D10
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......./....`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.407474903458746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:aQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi60i:a9MYn1seLE8JFMLcyXQ76P
                                                                                                                                                                                                                                        MD5:1DCD862442C7273B22B1CC318DF9BA51
                                                                                                                                                                                                                                        SHA1:154BBB2E1E3D4EC1BE4D75DFD4343CB362B1EA61
                                                                                                                                                                                                                                        SHA-256:64665F70B7A692C06570F487C3986C1D73AF507B2A15A52AB0B214F453FA9992
                                                                                                                                                                                                                                        SHA-512:80CBDD042B298CE25D0E82032E1B895B08A529D30A96306D8272E7F08FF3944A50C70632F06F803DDFFD0C9147ED83D8C43F8F43AF439A5B81BB3D7233D6D7D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ...............................e....`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.2033935785037295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhO:09XeDmzV2yzlhKLFU1lLVp1+2flYFnQz
                                                                                                                                                                                                                                        MD5:31D90BF6DCA94221D7D81C17E334ED3F
                                                                                                                                                                                                                                        SHA1:8C72EB65C23BCCF35F3319B854A8EA56E0E7F953
                                                                                                                                                                                                                                        SHA-256:CBFA4444A4574661F12D27E6509682E3E9C746B3BE5CBFE8C794B05F6057E281
                                                                                                                                                                                                                                        SHA-512:D5E201F060E0F00FA10E057710B37AA51F76581D3C3FCB1D57974FEA6A140F680E018AE70508C48E5C6BE63E913DDE52294088382D6F1D44D23EA04102BDA8B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96296
                                                                                                                                                                                                                                        Entropy (8bit):5.6328703738583465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:a2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJ9Q:XQmyxL2L4D+YZL2X7SAaqywjhkWe9Q
                                                                                                                                                                                                                                        MD5:13AAE87ECD696247FAC397F045CC7EF7
                                                                                                                                                                                                                                        SHA1:69574E2201A5DBF1BB725DA3172865E0253468F2
                                                                                                                                                                                                                                        SHA-256:8DE7F96272724EA147FF1CC7544C7349798B3635AE9C9EC5680FEA11228A7DF6
                                                                                                                                                                                                                                        SHA-512:256D8ACE98885D5206B2E73DD323413291878CFDB8582E2FE94A31B725ED9681D9BD4371D4178038B5461936A3FBCF22FEB66E600BD68ACF31D9AACC3CEE06DE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ....................................@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386600
                                                                                                                                                                                                                                        Entropy (8bit):6.136008226210181
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyo:9sbZnMfwWFKFrrWa8BvEyo
                                                                                                                                                                                                                                        MD5:5FC49C1DD74CA00CC0A054401EBE93C7
                                                                                                                                                                                                                                        SHA1:942CF1D170A81784342DC552D7A4EC0157245159
                                                                                                                                                                                                                                        SHA-256:B4643B63E61BE52F6750A9A429914D9ED2488D40CC3EEEF4BE97350ED11387AB
                                                                                                                                                                                                                                        SHA-512:CF4C0102B677B401B113C7BEEE14AC1F70A6CCB3D926A50BA7DB55A748D9CBB5A53025ADF2111424492C08AAE44FEA325740ABEC1D4ED912D549FC5786EBCE05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... .......<....`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.83462305683277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7N9VWhX3WseNyb8E9VF6IYijSJIVxF5WY5R:RGZmEpYi60Z
                                                                                                                                                                                                                                        MD5:5FCBC5F2BF666A740409BAC1CD7C045E
                                                                                                                                                                                                                                        SHA1:6DB922DBF23EA02B9351DBA4169B0E4EB350BA91
                                                                                                                                                                                                                                        SHA-256:E201521DE53052ACD367AD9B3868776E5F061E088446D2D6409420F0101A5AFB
                                                                                                                                                                                                                                        SHA-512:906F5E8EB5887DE4BA920367ED75480EF506952E149D2554E618442353CA4B2CDF2684839988345B00C356A2D77213B6B905E68213B445EBCC6D5E75E507B65B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................f.....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168683157071498
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTO:8DMUWITZznu85k8Wdn8KmCjIFi3Vvi
                                                                                                                                                                                                                                        MD5:750E65DDE7AC14B5920FAA34E9807AB6
                                                                                                                                                                                                                                        SHA1:9BA2E717AF511711683CEA7E1A62EC160E350A6A
                                                                                                                                                                                                                                        SHA-256:0DB29ECF229457A276C3BB0A02179C09877938C5EC5724352ADA6B16407DE331
                                                                                                                                                                                                                                        SHA-512:794C41AB53DBCF9F5AF6AD35DC5ED9C7E2290A160BBD28D1CF2A7FD1351A5410989D3B27B4C9B52325CA4F01A79B485FB07299AFC47C33AB6EFC55A77E53D5F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883752
                                                                                                                                                                                                                                        Entropy (8bit):6.071371193883245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:b1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ6:b1n1p9LdRN39aQZUqX
                                                                                                                                                                                                                                        MD5:5BB4618C81652C0FD405001CDB982416
                                                                                                                                                                                                                                        SHA1:BFA540860AC3D1D49FB896EE2E177631E43A33EB
                                                                                                                                                                                                                                        SHA-256:ED6673853467A267CFF6E4E2E07037F0226A2942D335F59E6A9B3E7E372574F2
                                                                                                                                                                                                                                        SHA-512:5D37B663D6002060E191E6A4B4ECED6380349590F2E02910A8460DE5808C68C9BF7AD228015ECFA9A5824BC46B577DD20C094E45D11383BE00E96685B207B7EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................).....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960343834822355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU6V:2BA/ZTvQD0XY0AJBSjRlXP36RMGnV
                                                                                                                                                                                                                                        MD5:79FF2C67FD3F8A73B18336167944F91F
                                                                                                                                                                                                                                        SHA1:974E824087D0146CD0139DD6C515F7A769552934
                                                                                                                                                                                                                                        SHA-256:D77ABEEFC22B5E0B6904AD2EB8D0D82B9A6611A47DF60EDA3B62436203734061
                                                                                                                                                                                                                                        SHA-512:35C8DFCB95EFB9D7EF2D24D2A08DAC244161326F7AA1290F37B40CBAA0580C1DCDD0434D53D88E362EAAE91ECE91A968466151B90D05A77C124DAA4DB77777E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285736
                                                                                                                                                                                                                                        Entropy (8bit):6.184394295423341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:LZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvk:LZU0BJwuOcrl1w7HX3HWJ
                                                                                                                                                                                                                                        MD5:E9622BB406B5CC041DAB8042402838CC
                                                                                                                                                                                                                                        SHA1:08DD86152507F8381E92AECA2BF9F92DF445FD78
                                                                                                                                                                                                                                        SHA-256:27B83B19EBBEBB69297D7C071CBFEEC3CF5825A7669D9844C1F5C03D32F221CC
                                                                                                                                                                                                                                        SHA-512:6D495D15BDC165A09712578D1BFE8B11DCDCBD7A71282F0B892BCE07028C3F3DAF19E5FF0A45C1F7CE235325B68280B359559C0DF6434876271B367EDFFEA16C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ..............................5.....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.557142083271252
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IAQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxs+8:L1LOg3BtNbEpYi60i
                                                                                                                                                                                                                                        MD5:2532E59305E0008E57C2BDD160B3D3C1
                                                                                                                                                                                                                                        SHA1:61FDFABA94E32F9C6A6D4C83F1AFF039C0DFB46A
                                                                                                                                                                                                                                        SHA-256:DB151AB41076953016567010F1B6D14035EE149DBEC43DA8E7ED4E67DDC834B0
                                                                                                                                                                                                                                        SHA-512:207A73F85F14837C844F3B54D87181DFB609FDC4523482ED8DEE24DD9B1C39103FD4DE3B8EDB1ACB4EBCB65211F1959BB1A4EED48C031EC3A30523E9DC3B6495
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ...............................,....`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210984
                                                                                                                                                                                                                                        Entropy (8bit):5.347898606449367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8sMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7c:VMNkrE4AOqcIzQijLC
                                                                                                                                                                                                                                        MD5:D9123F80F12ABA0AA0596E710AE8C2DF
                                                                                                                                                                                                                                        SHA1:DAF74A60246DBF736CAC318F5113E9787926E3D0
                                                                                                                                                                                                                                        SHA-256:C342B88D1BB7BBCE4244262BBD86D439333A339947675192A5599D6FC6B1549F
                                                                                                                                                                                                                                        SHA-512:816518573C0409C9DB4DD543BD1185C25E92093E3396D358AAFE4E65BE5BC278B23A8F417C86981120F1E5D9E4330BDCE49058D28BEE11ABCF2EDC5D74F2CBF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284200
                                                                                                                                                                                                                                        Entropy (8bit):6.117054902542995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:TZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHv:9go0WPVTXgP
                                                                                                                                                                                                                                        MD5:26091035FE3B95AEF02880C0F16EE5D2
                                                                                                                                                                                                                                        SHA1:D6BD36B439AD591929DCCAFA6E1FA7FD419BDEDD
                                                                                                                                                                                                                                        SHA-256:21FE70B8F2B0D14AF696CC931D2A34A29F97AA003CE9711A7606CCF1562F155A
                                                                                                                                                                                                                                        SHA-512:4DC302392B95993FE5E4700B99B6B152CB0BE5DE327720E5CFE71D662DBC475F04F554CE660318D024A32F99CB274167803C01FD35FFA52E0A38129E2012A871
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................`....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.808058508898839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mDNxWQFWsoNyb8E9VF6IYijSJIVx5+V772g:mDNVLAEpYi60ix
                                                                                                                                                                                                                                        MD5:CB6CEAD1C494643D8BC177A3181DAA46
                                                                                                                                                                                                                                        SHA1:28FC5E2823C87ACB25AA28C72E36E8FED27509C8
                                                                                                                                                                                                                                        SHA-256:C77CE05A295FE74CC5536BB3067310412E416AB5207C1A147AA3FB0396B607F0
                                                                                                                                                                                                                                        SHA-512:A0DA988D2B8909ACC02F33FCB23ECC4D518DC087FAF1D4EC97FBEE9D214DAC3D203AF8DDC36D117403781F3B908DCA3B392E6985B0955504BA7935BD1C665443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................+.....@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.670261992081206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAUy6k:OrMcXP64LEpYi600
                                                                                                                                                                                                                                        MD5:EC6BE562CD6ED413FF0E833A77595A6A
                                                                                                                                                                                                                                        SHA1:3D78998E7532950DE013624F79D84B0BDD038E35
                                                                                                                                                                                                                                        SHA-256:58A397559EB7450009E7DCEED705386E97403B640E4C2572A2C21ED38ECEC7BE
                                                                                                                                                                                                                                        SHA-512:4477A3975C10E011F406849CAD5F178CC621F29797AAEE26E5D9E6DCEB9174FC573CFFA5D6CC216816E142941572CB1F768079CA091532EDFE0C183FCE7C4267
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.903995238231185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89QpN:EtaJEpYi60w9qN
                                                                                                                                                                                                                                        MD5:C27898B6BA04D6A07DC20F956DD5B692
                                                                                                                                                                                                                                        SHA1:AB58016F4F33BB28422732254FCFFBB55D35568D
                                                                                                                                                                                                                                        SHA-256:B26BCE9C60613EA4C558F37C13C019ED90EE425C0DF34EF46F1394731D123AAF
                                                                                                                                                                                                                                        SHA-512:C11CA3B0DAA4BF95D9991743FE42627BE31DF0F1FB7FD1116C29659442AD1A548BF21C08184CF6397DB56E548B09DCAE08ED7C4D387FDBCE06D4AC4A2F638CAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................q....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.899076813883936
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+napn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKJFNt:9Dur5NEpYi6002V
                                                                                                                                                                                                                                        MD5:0A6F2F96579FB5DEA09A1D43AC461A1A
                                                                                                                                                                                                                                        SHA1:AC96B251758FC588C699BD92F9C295F90390F777
                                                                                                                                                                                                                                        SHA-256:64E8FD26982BB275167E2C063FA9B6FD91C867DCFE8F685978C79BE5D56FB1D8
                                                                                                                                                                                                                                        SHA-512:17EFE747E4DC387DB0AF3B328F3C039786806FA85D574E94B23F4CCA6A50B9768B37A094A797ADAAB4B4FCAB8DFDA950F0E9B41EB8FE4505A4116941A7E09184
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................._....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.9045106778941765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:THLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3Sp:aPv5t/NOOMEpYi608i
                                                                                                                                                                                                                                        MD5:BC6FBEE698B433A15A5A8677C6E5227F
                                                                                                                                                                                                                                        SHA1:70C76DD5825850EB215B7E9070418AEA6ED8CADE
                                                                                                                                                                                                                                        SHA-256:1FECD69B9EBAFD71F1DDC6DA55091FB5EAE5C2985901D07B7866F6146AECA31C
                                                                                                                                                                                                                                        SHA-512:537A2122AB5E8472BBA4E3FDF5AD20D11852E4456EFE903FDE30B28FA667C4867723B88D15494B2A8C16516050F2DA254541845983EF7BEDF85D016A0B9E36AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................]i....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.759690943204462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:S6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQhpXi:EiAuEEpYi609mu
                                                                                                                                                                                                                                        MD5:F140E615371C9918B41BB82BEFC04B60
                                                                                                                                                                                                                                        SHA1:30CDA9BCD776EBE15DD6E2A544662B1ED1711294
                                                                                                                                                                                                                                        SHA-256:4DD6878D7D30A6BE05FBDDDBDB1D8EBC2B0A3F264DE071069F019F5A47766911
                                                                                                                                                                                                                                        SHA-512:612A62533A48D8261D0287448B3BD51F891512305D86899B7E67CF5CB9F0BFF7F6EB4FA0C758D6802BBD2AEE2718B8D4D9B081292DEA285F1A3C13BF9119CE40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................y....@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.811319806859492
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vnzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JiCB:Xpui4EpYi607HB
                                                                                                                                                                                                                                        MD5:674C7CC18094A065F1AD7C2D70B6DCDB
                                                                                                                                                                                                                                        SHA1:62F106B045278CCC693684697B55BD1D6AEC77E9
                                                                                                                                                                                                                                        SHA-256:1DBE44461DBBE4E57F9F28FF4B2F4F68E49C2DEE1FB632449F2B3D7046ED2CDF
                                                                                                                                                                                                                                        SHA-512:8C7C029227051B60156636CB0B1D93ECD2D64C23E61FF4C104D511BA1ECCCB6374A3AAC5A8A19D3F028391F74CE196FDE257C811B1E6A6BDAAE7FEB577F8A7B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ..............................l.....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.8574566850311935
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9Ghr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVU5j:ikmcvEpYi600
                                                                                                                                                                                                                                        MD5:814CA88031F4742F96F0A1FC023BD1B2
                                                                                                                                                                                                                                        SHA1:14ABC123D068A7A436A90AC7575638FE3718FECE
                                                                                                                                                                                                                                        SHA-256:6B94B8330FEA4DC6A8B8346C8327F5263EF404A79604DA345E4750B3E577AFA2
                                                                                                                                                                                                                                        SHA-512:8EE21783BE3F4087DA177E956427D2FB55BF6A42BD67E55DEEC109FB3A9134C76480D8C5B4434A531E21D46446EDA8772AC4897564BA4C6FCD479A96082F199B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................N.....@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.791342781786458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:tRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4XLb:tS9b2yEpYi60Y/
                                                                                                                                                                                                                                        MD5:2FF5CA376EC3B22D4C644E0D2EF2C251
                                                                                                                                                                                                                                        SHA1:CB44B2A742F07ACA00C81A8E6E974F8EB48E287E
                                                                                                                                                                                                                                        SHA-256:518157DDFFAB7B2E4FAA5F35315786FFE78C3ABA1D282A71E8531324C220A7D5
                                                                                                                                                                                                                                        SHA-512:0ED9C50322375C86FE1A508302F417B8036C4E14B8665509D1465EB3270CF9F69B2D9D05D12C00503BE1CCD0B059EC09EBC1B0DE0B4344CA7248CBF98AA95204
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ..............................Q.....@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849219139849392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcomX+Q:s998yEpYi60ZQ
                                                                                                                                                                                                                                        MD5:A3767F833B7DC371A63FD24BC47EC860
                                                                                                                                                                                                                                        SHA1:962EAC5A3F829D0E7A37D357B59784FC2C30D0C5
                                                                                                                                                                                                                                        SHA-256:977059230957BD6898054C5690B79770CCAFD001E6530976F4555E943291CB92
                                                                                                                                                                                                                                        SHA-512:6A168D4E72B89B65AC385E99D13AA36004A22EACBBDA93D7A933C05191EF9A4AF88A667150E12787FCF1D595B46B5C297521DD8B0B302329FF91CBA938D7E737
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.847269902417784
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+tLZB:P7icodEpYi60u87
                                                                                                                                                                                                                                        MD5:D8301ABE51723EA90AC26BEC7107CDE2
                                                                                                                                                                                                                                        SHA1:A23A59BF76D2984D83D2151754AFCDE0F8B39571
                                                                                                                                                                                                                                        SHA-256:6CDF0F8678D101EE6837283A663E4E57FF0C04E32AF3906A502568F63A2054A1
                                                                                                                                                                                                                                        SHA-512:FA46D4A5F0804DEBF7154096A00BE4D0EACA869B16AD36A99D4AFFAAB2B27454AA31D181EB2DE92BE9BED82B0E486C2667F4ACFC89CE0BFE41B784474C438FF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ..............................$.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148520
                                                                                                                                                                                                                                        Entropy (8bit):5.417690904085497
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:FdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSP:z+2jv1x0ebezWiun
                                                                                                                                                                                                                                        MD5:4E5715CCEAED8AF7F5FBCA92CF7890AC
                                                                                                                                                                                                                                        SHA1:0D9195E6861675CC4AB9231D8D37C6787DB70ABE
                                                                                                                                                                                                                                        SHA-256:E31EE9088ABE8F4B12037583861D50425A51470D455DCB2B3F14B976DEA7DF35
                                                                                                                                                                                                                                        SHA-512:87D665FF6550BB48512AD07C22D6C4FC2280AEF9952FA19BBD846D6271F50E99704B551E11CDD17DA4ED195F4A468BD6DC53E06D74DBC3B6B1FAEFC36F4D452B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................L.....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.811910923320141
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qzNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi93JGX:4RtRWjYWw9Nyb8E9VF6IYijSJIVxINGX
                                                                                                                                                                                                                                        MD5:5BBDB5177872D6056A16156D1054629A
                                                                                                                                                                                                                                        SHA1:C406A78F21B73C98C1650DA863F62D9574CBC1B0
                                                                                                                                                                                                                                        SHA-256:FDC5C25D74B42D5394A957A2BF76C892A79C14F0EB47365AA7658D614367009F
                                                                                                                                                                                                                                        SHA-512:C6BC4FA6D4C5B503D596B54BEB4BF22B831622499C2176FD677304CD1444D21605BF1F39A4B02EE319C2C04255B17F6DAA48B0087B61DBB6B577CF55DF599376
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................h....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.891333615519176
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZeWnoW7zNyb8E9VF6IYijSJIVxG1+M1v9:ZnJvEpYi601M/
                                                                                                                                                                                                                                        MD5:492474182461AD44627970F9BDA3353A
                                                                                                                                                                                                                                        SHA1:4615E954172D1CAEA1E254972DC7F995231B0C79
                                                                                                                                                                                                                                        SHA-256:54BB3F2B00F95B924EEB7896B0A2F00DF47BE6B5A35535523CE04EC3DB26B586
                                                                                                                                                                                                                                        SHA-512:2EF0B4E7CB9707C34BD8A1069D4AAB1E5D1B97857D93F12F3C76F985B69F946B7D0CEB7532E155D24D58CBECDD96A6C10793DE07EABCB2379C61BCC3BAFC5882
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................k....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99368
                                                                                                                                                                                                                                        Entropy (8bit):6.2367181096327435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qTDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD763K4:CitRK/XIgIZAXjD96WfLtGdM5baDI
                                                                                                                                                                                                                                        MD5:E436018D154260FB2AC921477F8E31A1
                                                                                                                                                                                                                                        SHA1:78330AC1C3D16B6A84954E0FCB05EF81C2AAB773
                                                                                                                                                                                                                                        SHA-256:C294A1022777E2B3F9B30E6D0F25E0D0EC93EAFC08B120EB09A62D3A66F0CC6F
                                                                                                                                                                                                                                        SHA-512:531103448B34CD9914927B7037BE7BA55D4352C555566EA2B67EADDC1271E5D71474C789B0BAB6E7C2BD408A849340B68AA69AFD24AB91D80C3E8B4CFB3FE285
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ...............................-....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849695340076211
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:F6oWJjWN3Nyb8E9VF6IYijSJIVxukIAFaS:F6vk7EpYi60J
                                                                                                                                                                                                                                        MD5:D6E6ABBB9F1D390F625547ABF8816006
                                                                                                                                                                                                                                        SHA1:022D2B079CFE2498C72DDE7E46E07A6AB5F34E00
                                                                                                                                                                                                                                        SHA-256:C9C9931BAE9A3AAAF026FCE5FA63B1A53E77C1848018D1738D5CE5435BF7E756
                                                                                                                                                                                                                                        SHA-512:06E902B78EF858CE31FF7AB77211872F0683D03E5A05C8BE9DAB24D41E885C555691B385C993BCB8A6D87E2D4C6746117B6748BA17351C6A6A158F98E346C81D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................C.....@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777208714139607
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Eqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjO0:Eqk53MmSEpYi60H
                                                                                                                                                                                                                                        MD5:541C108C06FDBC6FEAD67A016EF12FB7
                                                                                                                                                                                                                                        SHA1:0EE2C9A8741E723DE3864428CE137E6DB17A4B7D
                                                                                                                                                                                                                                        SHA-256:27EBC61FAB1EE87C8AC6D5D5F00C94625C01E3A105A5C7471075E66A342A3019
                                                                                                                                                                                                                                        SHA-512:0C5274B487C5EADA7968010F49A66D5464F095B7AC9B9553E5AB7568EFAAA672FB27A668E5F7EAF9323D1D12AA3A3CBEFB3D2108D91281EB6B915EAA93BE05BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................Z....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.662038790195001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwON9ll:9CcyCrSEpYi603j
                                                                                                                                                                                                                                        MD5:10DF0D52BD08862FB41F2C8582288AB2
                                                                                                                                                                                                                                        SHA1:139BBFDD3A66EC2E784D018957CA20B53876F72F
                                                                                                                                                                                                                                        SHA-256:13643BB940237A53CAA30F1C003F10342CEEC98277E92C3A732477D51AD557CC
                                                                                                                                                                                                                                        SHA-512:1380E2D3674383679728387FFC34831EA63AB5CAC650C1560F8518BAA850F8129F2499BF21D561E2FB06DA0FCC8E30472553CE5137F114075639B4A2AD16157F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.875406955244284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9AWxMWxiNyb8E9VF6IYijSJIVxMPtr8pa:9vjiEpYi604r4a
                                                                                                                                                                                                                                        MD5:A084DC9EAA9782BA85BB94D61D73028F
                                                                                                                                                                                                                                        SHA1:BE0EC4DE4E411637C955BE82182F79AD976EF059
                                                                                                                                                                                                                                        SHA-256:05D7F866C30747A14A6A853F4748379040394E2A44DCED7053484CE5008E44EC
                                                                                                                                                                                                                                        SHA-512:95D541599CF41681D98210A385828E3F86899B1014548907C5F902DFFCA671BCFA850B592F02DED2E7D62CA43E3281ACAFADD518E363BEC6F710BFCB9FA60ABC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8556365736617035
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7AlcWHaWOQNyb8E9VF6IYijSJIVxyoOVk:Q96oEpYi603Mk
                                                                                                                                                                                                                                        MD5:A1CC50DB46DD86DF240CC2A23B6BBAD6
                                                                                                                                                                                                                                        SHA1:463ADC4A19FE32A49331DE9B2C6D67EFA8CE1BE7
                                                                                                                                                                                                                                        SHA-256:302C98A9C7D98021ED1F31D8053835EA1D1B1625A9BC0E0367A730255F14F11E
                                                                                                                                                                                                                                        SHA-512:7DA514CFE77E38DDF394BD69FC285BE03EEF921142FB50031B00873532F3188ED75D491A5DA088518E29270B1C421AB9625683368DB78F3ADD3E95B42480B49D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................~R....@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.775846940237315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zeIZnWlNWTaNyb8E9VF6IYijSJIVxpcstAgx:iUyo6EpYi60Pvx
                                                                                                                                                                                                                                        MD5:9671E55290BE36C3CD22D6A549922449
                                                                                                                                                                                                                                        SHA1:286C9D98A1520DFE23977BAC6FAC824C1E2694D8
                                                                                                                                                                                                                                        SHA-256:8BE085D0C8454FD84F57B36CF815288B68AD57021D581CC263110127AF0316B5
                                                                                                                                                                                                                                        SHA-512:C9DA2CE9B4EDF22FD871DE2555AE8A57D404D5A415857F90D6630FA372A5543A76E9C1425146FDE92A34C2184EE1C589AC5F8E0008635B7EFF23AF7FB250B5F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................+.....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.491261723097907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF6K:AQq33333333kX+TBi8OGEpYi60/T
                                                                                                                                                                                                                                        MD5:B3662B640160F37317BBAE869DBA68F3
                                                                                                                                                                                                                                        SHA1:47D6CF7158EE942AFF3503ACA9CC72B4A3457264
                                                                                                                                                                                                                                        SHA-256:5A1B51984ABDA1A9BF710A7B475BA3CF4377B18044B01313683B19A6DE84A8CE
                                                                                                                                                                                                                                        SHA-512:44647F1142741F424459301CD03DB1AE0CB383F016F00C1C22DBEBB083861E12B32DC946004913E125C39C4A7458D8E945AE6A46F155C95132E0A1FCA58A730E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849594226945824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:c28YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9Cs7:c0qX2EpYi60i7
                                                                                                                                                                                                                                        MD5:E5FD46755DB68482AAC91448007B7EF1
                                                                                                                                                                                                                                        SHA1:924B322CCBDD9BC877D9AD0938469DAEBF42FFFB
                                                                                                                                                                                                                                        SHA-256:0685FBBED961D709397949761A74E03D23C91A1386AED35B7D603265FE671CD0
                                                                                                                                                                                                                                        SHA-512:CC35F27872FEE334300226DB72DA4B2FA0A7BCBB56182CF5C41A0937B7F9B9C38BD261F4455608BFAAA6001C0BD299F2706F407A2F6275E88EC7602D932C108B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................9.....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.728260171249145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AuMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3djz:dOcSpS2EpYi60h
                                                                                                                                                                                                                                        MD5:16058CE2B1E71FFB59B1B3AF098B45D6
                                                                                                                                                                                                                                        SHA1:8A3A8393790B5DF0110308E1457F479B776F4643
                                                                                                                                                                                                                                        SHA-256:F49DEB25BBE363AB05CF8D0746C6B7968BE017994A38287C6F7DF720F3735753
                                                                                                                                                                                                                                        SHA-512:D2D4CF48E16D98DA4CEF3AC1C451C8FB6354E2EB2116D12910E38E229A3FECD7111FC88C9A20D97DBA633B9B73A4AF236BCD97F9816B3155E50A84C6B8DAF66A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................S.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.8132103569800675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaC7C:z9qKqjqjuq5kEpYi60LC
                                                                                                                                                                                                                                        MD5:935B3F4DCBFF7BBD52913D0F7EAAFBA9
                                                                                                                                                                                                                                        SHA1:1D733AD56E1CDC7DE2779F63ED2EFE9FD1E45C2F
                                                                                                                                                                                                                                        SHA-256:8ADDFEC47A19651E12512201A0934918B987C49CB99D76240CE3A1F9F0E5CF34
                                                                                                                                                                                                                                        SHA-512:8801B708FC1074036B97AE888C7A0084D25F805D599C1A76B293BE63038C36A997069D2B6B7889CE13AC7A2F2681D2C82BCE2AA9B72FE34BD3C4BD771E1CDAC4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................`....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20008
                                                                                                                                                                                                                                        Entropy (8bit):6.628083630487221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0NBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3oNZ:0vMhF2SzNzwu/NljuQmEpYi60MQa
                                                                                                                                                                                                                                        MD5:483D7EFB2ADC512ED1563B35B9B3EFD5
                                                                                                                                                                                                                                        SHA1:8E722995213EC350A5C7EFF9E5051055FF620830
                                                                                                                                                                                                                                        SHA-256:C25F19BAECAAA43BC0F66CBE2A4D62667F63480A69E6D2F283C39CF0C29575DD
                                                                                                                                                                                                                                        SHA-512:90D47C1B3F5FEC620D4EED5623AABF0749FC6CE76946F10ABEABDCAB57F70D98B16F4D5D033F5C945B8C5364B3C64EE329775B6AB01541BAB17B790770F8AA4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.9010962408519045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyU4D:HZK0pJuImEpYi60o9D
                                                                                                                                                                                                                                        MD5:049F4C96D31A5E6B98B5D637F00C1C32
                                                                                                                                                                                                                                        SHA1:133CBD6A89A92AC4CD29A632A065B33D7EAF3EC4
                                                                                                                                                                                                                                        SHA-256:DD1833786DA36E28E56E8B213C793CD57F18D9A3178C6849421AFD1054DBD499
                                                                                                                                                                                                                                        SHA-512:E6E1250556CFF2905D299E9BFD173204B458D00F9F3A1D1027950D6C3691BFD4084189F296C73F2635F92D5D4CBE4B8A17A2FBC19932501403F9BA1A04BBAF07
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................5....@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.79493567439118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pYWsmWIyNyb8E9VF6IYijSJIVx39m93xf:p2wSEpYi60QLf
                                                                                                                                                                                                                                        MD5:DF8B1FEAD5A4F0105FA1F2E8C5846C32
                                                                                                                                                                                                                                        SHA1:42543F56C95297347741D83B2895089071BA0165
                                                                                                                                                                                                                                        SHA-256:849BE6985BE9E724F51B1E49A4458B0CDFA39BBE34C14856673145ADF453FC61
                                                                                                                                                                                                                                        SHA-512:A0F1C331C51F028596FCCA91BA911D4E028A5749B51CCAD7CA718D1413649A244D4CAC6F9653C83AD593FBA7588B391BFE5DA19DEB2DD23E647139C211FC878E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................3....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105000
                                                                                                                                                                                                                                        Entropy (8bit):6.382223209570539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Svc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76GQ:Ogk1tiLMYiDFvxqrWDWNoJXBAw
                                                                                                                                                                                                                                        MD5:4D5373B6A808F58896D8ECA2336AFD01
                                                                                                                                                                                                                                        SHA1:8A2D965974BE510616A1B689064D52C82307F142
                                                                                                                                                                                                                                        SHA-256:F057B5B2405F7C094FDE00200F813280BAA6E2323CA55450547042F15B2EFE25
                                                                                                                                                                                                                                        SHA-512:D6C217672649826C9D8BA2A5626F351494D3533F8F8F651064D9E2B7D8D4E75922B1FB87624B1B2FDD59C4C130D3359F3E189E6A04732972A69813D5BB7D3F88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................&w....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852952043693082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:XKcuz1W1cWliNyb8E9VF6IYijSJIVxLnd9f2S:Fu8niEpYi60beS
                                                                                                                                                                                                                                        MD5:53D21921EFE5BBFFAF3146D0085D7D00
                                                                                                                                                                                                                                        SHA1:5A927CD487E88E62836BF2268F3475E49733BF8F
                                                                                                                                                                                                                                        SHA-256:24A261F2686F7356E10775FB50D757C52CE60C8CCF534301A87C95CDF5C82DEA
                                                                                                                                                                                                                                        SHA-512:403DB78A35F9EB212FF7B0FDDBBEB0D62EF0307E9E0CDBDA5814666C03DC710D5277D042F8C3D5E10471DA310BCF1D978CCC802B99A66546832A41DF645009EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.860170703382652
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:i+SWikW0uNyb8E9VF6IYijSJIVxAd562Dn:i+eGWEpYi60Cbn
                                                                                                                                                                                                                                        MD5:8A1D6584F6699495D216CE48FC51CEC0
                                                                                                                                                                                                                                        SHA1:216DE8412ACC0B0F518DF2A054C16F8D06F738D8
                                                                                                                                                                                                                                        SHA-256:38CF660842803C4A0857F867084818A4142B25E03523998353574AEE007714FF
                                                                                                                                                                                                                                        SHA-512:02C91FD17F37AA0FE6083F5408B992A8D73CF67C164AF3373DCB90CFFF85198AAF3FC259DB954532F74A03A222858E38E83424610F4AF9C2032E0624CBDB8E8A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................^....@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905045898726266
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am9/fr:iAWzgWSsNyb8E9VF6IYijSJIVxXej
                                                                                                                                                                                                                                        MD5:8A767C64807803EE2157ECED3EAB4F40
                                                                                                                                                                                                                                        SHA1:6F43F7316CC9C0D076D34AA8FDA46000F49D401A
                                                                                                                                                                                                                                        SHA-256:837590D809B2A96F1419C5679D80FA2754FA834F2A334757C42DC466A048EE5E
                                                                                                                                                                                                                                        SHA-512:C6966CA4F0F40BEE5A4ECA7F6447AA5589879E40EFEE78116E684F4CC824FF2E4F4DBB22A4C387CE4D9924BF5CABDE6E8CD9E6CCCB60D89FFF1D500BD83C1485
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................~....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.86496439626087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xBLRWbYWziZNyb8E9VF6IYijSJIVx7cB0k:xB2xi9EpYi60YP
                                                                                                                                                                                                                                        MD5:A7AEEE4138CB59CCD273DBD2E0E79D9A
                                                                                                                                                                                                                                        SHA1:31C9C6E1E50CA1C39D924ACE1E8E4C642A687431
                                                                                                                                                                                                                                        SHA-256:6F46D4AFCC2EF8B44B7A775837F01E7EDD92E2A2A6FEDAD769FF28C7EA7C6D3A
                                                                                                                                                                                                                                        SHA-512:4A7756E5F66857C9CDAF9E80E8AABDC234E0091E6C23A146B77FE88F54776E25B1E673827E5E0CA65F1B34E7A02671268BD1780DC7966CEFAE343977ECDC4CF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ..............................oN....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8507567406121606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:HZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5ypzB:jHW4/W1HNyb8E9VF6IYijSJIVx+8V
                                                                                                                                                                                                                                        MD5:11583B81A132095BE2553F4253FFE986
                                                                                                                                                                                                                                        SHA1:B8D126B7A3F4656A9AE66761BB6CD6949C1B120D
                                                                                                                                                                                                                                        SHA-256:6971DB538DF637710C89BB3036CD347402E40492CFB7EB49854227C9D49ABF8D
                                                                                                                                                                                                                                        SHA-512:FA28628BCFCF5F5A271C7D690C96C9FEC12001DCE3BA15BC275E56480AC18189C7023B952330DB806F53C941DB196F6A264A5CB8B1E68BE9A5BCC7430CF1FA2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................s<....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.909698580195596
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:CYvkRxpHWmCW5IPRNyby2sE9jBF6IYiYF85S35IVnxGUHF6qPQ:jvk7hWmCWKpNyb8E9VF6IYijSJIVxuOQ
                                                                                                                                                                                                                                        MD5:29CF4ABD4ED3C2A7D09C5C3EB6E5A9EC
                                                                                                                                                                                                                                        SHA1:6F07AF36D1E1E296F360790FC37587AD5CBDDABC
                                                                                                                                                                                                                                        SHA-256:06BE89325BAD5BD4122CD3893FF97D16605BC09E15A4B192DB8CA05203C4C8ED
                                                                                                                                                                                                                                        SHA-512:6E0663EA3D4FEEE1C8BB3D31B913091643D68B7537AA796FE403787AA8C8FF62E8A4140C929BF46483B4FF245F3F06C789195E43CDF2656A0ED04DE0337F42B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................y.....@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.875163574516282
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDOvs:0GMWCUWiBNyb8E9VF6IYijSJIVxRxE
                                                                                                                                                                                                                                        MD5:470DB4BFE7A89CD96F38B3F12DE58C8B
                                                                                                                                                                                                                                        SHA1:5EC096244022021F28AEFD534E4CA7A1C4ECB418
                                                                                                                                                                                                                                        SHA-256:AA7F7643BCD4A35D4A49C96B598B952D479E83136C287D6794AF2B092BC3A7F5
                                                                                                                                                                                                                                        SHA-512:291EA1AF40E673D8A81C13DA93229657BED8E1EA763AFD180DD68302E9A4C09A21E59147670564C50F733AD1DCA1858EE9DFF110D2C8AD5CD13DDC3E59483BAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.856598427079228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtglWu:TDwIBSoEpYi60n
                                                                                                                                                                                                                                        MD5:E6D143B54F697EED02B42E6007AF16B1
                                                                                                                                                                                                                                        SHA1:F0405BB9FCC8F0E49DBD8015C975C07FE4A3522A
                                                                                                                                                                                                                                        SHA-256:A2F2615224D8B72EF36FB575511E79405BFE0D17EE56A9C8A688096984D06508
                                                                                                                                                                                                                                        SHA-512:92F060494E8841C468014D5E0651534AD2429BD070B803D0DF6F9A31A50609D8DB582794DB1674DF78B7DDB344EE852F27A98FC81A0710271FBA4531579DFA00
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.867121675573712
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QyvPRW4lWvKNyb8E9VF6IYijSJIVxnKoxt:R39oKEpYi60r
                                                                                                                                                                                                                                        MD5:3BBD93806959285D0FA7A7B78AA8280B
                                                                                                                                                                                                                                        SHA1:BCFB697B9BD36EF0CBC637BFC672FC7EC0A7252A
                                                                                                                                                                                                                                        SHA-256:540FA4BC8DF4D9EB350F1A95FFD8872AA7781342E3005DF895342C459F97E205
                                                                                                                                                                                                                                        SHA-512:F7B5C5F38D5AFBE7B4A7FD578C2C894E190EE644F469EC0DA71E540ADD913ED424D45D0D481E500157B93962E34DD1D9CD4A582A54E714C360F6C150398530C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................i....@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.821046316109917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+6RW6eWX8Nyb8E9VF6IYijSJIVxiAKnbx:+67XcEpYi601KF
                                                                                                                                                                                                                                        MD5:4F0FC3B76A86526C650A9B0684B95245
                                                                                                                                                                                                                                        SHA1:1DC27EE1F71EFD96B4435942B7D9959FC160303C
                                                                                                                                                                                                                                        SHA-256:6B7FF38F8F95CAD304A82F7D709FC9270950DCD1E99E0C52466DD3AD5A6FAA11
                                                                                                                                                                                                                                        SHA-512:3CF0A39B32F9CC4DA14FE0031A7C704EA835AD06840DA70B390D9C857AB7B916ADAC06D61DB0F7BB4EB271547A9F1EF7BC1BD80934E3149E9A08FC6A603CB1F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ..............................E.....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854836920097815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3SUP9W70WxhNyb8E9VF6IYijSJIVxu1RV7z:iUe/lEpYi600/n
                                                                                                                                                                                                                                        MD5:45D93C6FA649F9204D74AB1899F1C3D9
                                                                                                                                                                                                                                        SHA1:4A0C650FF3D91738B737D485A53E48917E55487C
                                                                                                                                                                                                                                        SHA-256:911640CC89978360175AEBEBAC93B0A00A66431516E2B9DB37EFBEFDD1AA909D
                                                                                                                                                                                                                                        SHA-512:3BD47D5CDB8C4215B9F45575A949378448F68A79B3C0FC74C44C5DED890E82C42D0966C504AAC82CA2C29FD0D4C4E92901FAB8A8B68B6C23B7DDF49CA1E5689D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................*.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851374926476131
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:t8yg07W0/WtTNyb8E9VF6IYijSJIVx/ou16:tBHEPEpYi60AW6
                                                                                                                                                                                                                                        MD5:2663088236918D37AB0812F458B43C67
                                                                                                                                                                                                                                        SHA1:742477CC66DF985769A06A52F4B9493162851677
                                                                                                                                                                                                                                        SHA-256:FD830178DDDF42D3CFA029D0C7A1F5F47A9988D21D35EB3F6E0BA6E21F24648E
                                                                                                                                                                                                                                        SHA-512:DD2BFFDDB1048EBD4E4F4A6E6E5D4FD87A519B3C9156CBD2192B2EDBBC97D6FD170861AA9644E881722746D0ABDCDD4DB06B9200664B04EE55B909854610C36A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................'....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.817087250089017
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ge1WmRWgFNyb8E9VF6IYijSJIVxaxg342:GejjBEpYi60qmZ
                                                                                                                                                                                                                                        MD5:B9DDD406A59FAC863D622344082882DE
                                                                                                                                                                                                                                        SHA1:9AFA510A8BD068824AB74F43AB5877A266A4D8FE
                                                                                                                                                                                                                                        SHA-256:F7CC702EC5A643680DB4CE7891B26937D391F9243F46E3FD6025922783CD2B36
                                                                                                                                                                                                                                        SHA-512:50094E44D92E7AF66B02F2BCBAD855B4F63B7CDE8255C7CB5100146A3CE8D5B96D70BFA707507AE93228E0211F4C8D39B3DE32934BC35047DDE9D476EE227236
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................|....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.161293995450423
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:XUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqM:eBFd3/aFs2t
                                                                                                                                                                                                                                        MD5:47A13DDA83D02C5B8338A7FC0522A0AD
                                                                                                                                                                                                                                        SHA1:CFF0D0F4B2815E15CC697D199DDAE1579BB4E0A1
                                                                                                                                                                                                                                        SHA-256:2C9775BCA72A1EBACDDF92213E97D10C5BC246BCCB19CD1E0557C811EED5B01F
                                                                                                                                                                                                                                        SHA-512:55BF83CDD4F1664E248C686FE4E2FD9BA748531A35A7352813AA0D6BCBC97C55914A9677FD7B313970291DE5994296D802037ED7F0274A52E599E922E6E5B54D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192552
                                                                                                                                                                                                                                        Entropy (8bit):6.114424648358427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:neruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbM:6W60VcTvakcXcApOc
                                                                                                                                                                                                                                        MD5:D85FEADEBF972203EDE6DDCBDD751A64
                                                                                                                                                                                                                                        SHA1:4156CFE6BC213CC6FC3F6C603F58F91D8519669D
                                                                                                                                                                                                                                        SHA-256:0BA6A020A4288400FAEE2AF447E1D92F29F00EF60BE326E52D211E3FB71453AD
                                                                                                                                                                                                                                        SHA-512:9FA089626EC8F126F3C36C7232B64A2162B4BDE22396A4D3C18A4003771D8D66C48759670FA206891CC5A710C4CFABD6EF93A51943EEE9576502CADC8F3E3B1A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......#....@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.836541771573711
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DZsxgyrWYLW5HP4Nyby2sE9jBF6IYiYF85S35IVnxGUHF5LxLFsX40R:N6ZWYLWBwNyb8E9VF6IYijSJIVxNNLeX
                                                                                                                                                                                                                                        MD5:9028310FF5626D8C5A8AF8815A476744
                                                                                                                                                                                                                                        SHA1:3CFD3BB1B9741EFDDDFC99ACEF4B410ADB9FFE2A
                                                                                                                                                                                                                                        SHA-256:E0CD510CF6EA9A61449CA9FA704A8F32C2DA895226AF7244EEC08004E3A0F738
                                                                                                                                                                                                                                        SHA-512:0B09C0A5EABDBF9EA8FDD3756DFF4F5E02C2A97425AAAE534D2F3A415AD736C47EC4665202C0566ACDCE26AB04D965B6707AF457082E1442A80F23AC0EA35F43
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.790953969555689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:t1W1WMQWkMNyb8E9VF6IYijSJIVxuHDMT:C1yMEpYi60uQ
                                                                                                                                                                                                                                        MD5:1DD38B6E246413ABA656A43913B77059
                                                                                                                                                                                                                                        SHA1:71C61475D59CC97DFA2946B7A7B51B5F24249EC7
                                                                                                                                                                                                                                        SHA-256:61DA35C1B73ABD565CFDC47D4B9019F681CA4F23E8EE36ACAE752F73CADE5377
                                                                                                                                                                                                                                        SHA-512:DF4D8BDD4DB5FCE7C5C1C6F8FAA066CFEAA4370C93F3EADBA27270E4994DE7A36F1F676C5227CF5359FCDA7EA3DE87AD36742ABE774A44A3A7736363A9ED07CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................+....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.831030175823516
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6Q/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/PQq7O:ZdSWSKW1BNyb8E9VF6IYijSJIVxsQv
                                                                                                                                                                                                                                        MD5:4BD03CE10E027EA6FCBF363408B2D635
                                                                                                                                                                                                                                        SHA1:5AE8496EB6A6BB1C7EBBA18C5CB185E5B7C06607
                                                                                                                                                                                                                                        SHA-256:0B2958F63802C93F92D9A11DDC5DDCC5ADEF96FD76A2FC815B855BB45E2D1AD8
                                                                                                                                                                                                                                        SHA-512:B573C33D95BAF36C7C7EEC0B92441260ED029144853D5A8F70E809B881E5DB55E4C0C352857E3371AFA383D912D3F50B6911A02F74A808FE2A86B4C94C9B70F5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................x....@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.745241534522964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZW2kC:zyYA8CqEpYi60+ZH
                                                                                                                                                                                                                                        MD5:0F2F35CF406093A3515D1903E625D4FC
                                                                                                                                                                                                                                        SHA1:329644B8B9AA08DE7EE8D4A2EF6104E39443FB44
                                                                                                                                                                                                                                        SHA-256:4F2556DB1097C0AFE1BFA39B8AAC464BFE6EE0A1C11A9E5E6C7A8CF4801A64F7
                                                                                                                                                                                                                                        SHA-512:86532AEEBD0344CE2A603986F5C0D5D52DB9528A2ED93BC7C1B531FB93ABEFB639D5AE89838F2E720059714F4E01468A0AB7BD452648BBF88CB52D7DDA4C4F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874609224447225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3JGWe4WTYNyb8E9VF6IYijSJIVx5OCvRh:ZmRQEpYi60BD
                                                                                                                                                                                                                                        MD5:11A7A2FD3AF4EBAB476480C6B9844D10
                                                                                                                                                                                                                                        SHA1:BA546C98FF9D2228A6535D45B8A1096CAB5E7E8B
                                                                                                                                                                                                                                        SHA-256:1EBEBB93F3ACC1C6621D4D5B118D0C3D9F24D615EA450E62A6617C16EF78745A
                                                                                                                                                                                                                                        SHA-512:6E7315EEEC8E9B6D57667F57D9D952F5CD563477D26E8ECE918305451FC07B9DB041156C2716C4EE74FFFD2035BFA56D975492A37E445F88BB6759E42B9F0F0A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................Pv....@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.7866056000100725
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NdW1w3WesWn3Nyb8E9VF6IYijSJIVxV4ML3:q1wxd7EpYi60+O
                                                                                                                                                                                                                                        MD5:E99749C2D6855F01AF07726518259C25
                                                                                                                                                                                                                                        SHA1:01923DA1D66638C061F46641EA916EC7AE74738F
                                                                                                                                                                                                                                        SHA-256:67D6A4D61AC7B1D3DFD855DA099899C08BBBC224C3C68B29C74D7E60216EE718
                                                                                                                                                                                                                                        SHA-512:87736819EE103D35F18CA3BFC371752EEECF27E725EB9E3A73EFD21480BE04B5002E0D35F41B82DE009731D8F9999508EE1FB5BB7FB36879B92E4CF3020762E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24616
                                                                                                                                                                                                                                        Entropy (8bit):6.593818167121892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFP:Ayp12Bhkg3qnV/srYEpYi60Rr
                                                                                                                                                                                                                                        MD5:E3238BA54E79B27CC6E7EBF902556D09
                                                                                                                                                                                                                                        SHA1:F8BC1F7D512657E9B0E5CDBD7843AB4101D2EA33
                                                                                                                                                                                                                                        SHA-256:D16AD1F3B3D97BA1331204060013A3CE898594BCE31CA84F700613D880525245
                                                                                                                                                                                                                                        SHA-512:AD8E1BAAF7B75B5AFE5800201D1BC26E9C9565BAECC13EDCE367FB7BF2A53D1B15E6B25380A31100B28213ECC1B03C8108DBAFF53EBCF5652E8E9A0C3CD0E3EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ..............................m.....@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854872320109744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:rSHlx2PW1bW5kPWNyby2sE9jBF6IYiYF85S35IVnxGUHFl5tcr05b:GHPAW1bWieNyb8E9VF6IYijSJIVxJ5aw
                                                                                                                                                                                                                                        MD5:685C4B4E983F839137E2CD7B774A1002
                                                                                                                                                                                                                                        SHA1:2D7CF0F91AA51112C2A4338448148E2957431E56
                                                                                                                                                                                                                                        SHA-256:5FD54CD23BF035AB595A741CD728931AEAAD1FE5E631B45DD5E5276AAB412829
                                                                                                                                                                                                                                        SHA-512:DA9C144B5FB649B811C0BFDD1989AA573AF8AC8F352F7D0A97187CF0687E989B2B794AC89A08AEAB734ACBAFD4D55E19F7A294F64E5C503E17BB85A84E158973
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................h....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853982369164623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:4+TxwFqWD7W5/PtNyby2sE9jBF6IYiYF85S35IVnxGUHFCetdXG55K:zNoqWD7WJlNyb8E9VF6IYijSJIVxeOGy
                                                                                                                                                                                                                                        MD5:24327AF1BAFF48BA5F1F6324A61F71C1
                                                                                                                                                                                                                                        SHA1:F9A22C0C5FFA2EC82A4FEB4A902689B6FC59179F
                                                                                                                                                                                                                                        SHA-256:D74B179263A195AE4D5720B66EEFBABDE09EAC0014FE6E65DF98E5623210DB8F
                                                                                                                                                                                                                                        SHA-512:21104DFA526301C7A8724AAD6356BE1D0752C38184148811BAB8C9A26EC9D1EBD6ED0A91EE580E3D8F76710E2989DD3A9A16F6EACADCE386BD66DC0BA8818D4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................:....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.86328119964248
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bGETSAWUEWSWNyb8E9VF6IYijSJIVx6t2no:fT18+EpYi60S
                                                                                                                                                                                                                                        MD5:2CD1F525D9E7AF6369F04152A467D8ED
                                                                                                                                                                                                                                        SHA1:45F957A01971249BC1CB7EE43A1C1A714B33737C
                                                                                                                                                                                                                                        SHA-256:8EC2FA24A534A8A6BC488AFC6C8DCA0266135B01C49DBF9FE16920C2BFC5C8CD
                                                                                                                                                                                                                                        SHA-512:6E600BE03E5FAA11F56CB615588B58B605163549093436213B8595D12BB9F29A6847A38B8DFC41C07004BF3E1E2F621ED1EEAF72F9ACD41D66A5C2C295B2B381
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................>.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.510648737251264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:TPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76H:TWw0SUUKBM8aOUiiGw7qa9tK/Ybg
                                                                                                                                                                                                                                        MD5:A27760BA058AC5856F4A1D07210B6A42
                                                                                                                                                                                                                                        SHA1:BDFC736271A1C4E0D04846ACEF7285A491448BAE
                                                                                                                                                                                                                                        SHA-256:851B73A64C57B6E149A0B2677DC5F89BA39F31E61EFE37949C48C3697FA62324
                                                                                                                                                                                                                                        SHA-512:A50573FCE43757A7C8530BF71067D4D40C3591337424952E7B603E2C811CFC89631DE17DAFBFD9D714DBF4975E687152CE3CEB1479E448AAAB4878E17C98848A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...............................K....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.847676268621053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RcDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsXNJ5:RPKBKnEpYi60N9D
                                                                                                                                                                                                                                        MD5:ED0BB3B04E5B5FECFD7C93BAE2707C3A
                                                                                                                                                                                                                                        SHA1:BF9F93430B820FBDE7D101C739A0BF8B48DF1BAC
                                                                                                                                                                                                                                        SHA-256:B217AE70945AD17489E5C89E1D0B5F9798498ABD0F2DB595221AC3E77F770706
                                                                                                                                                                                                                                        SHA-512:3C0B6FBB62EF929463A9834A27A2379E0125AEE03E5183B3CDE0F32C22E8F99E5842FF76F0BED19EF1AB447E0D44AD910742D4447E958475C5DAE02D53C4FDAC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................\!....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.85953484591678
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:/m6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMbWXn:/nIWD4WmiNyb8E9VF6IYijSJIVxM0RW3
                                                                                                                                                                                                                                        MD5:1566627D5F85534882E69C079652B08A
                                                                                                                                                                                                                                        SHA1:4EDA90289B7E1A969736D7814E63AE3E5B4C567D
                                                                                                                                                                                                                                        SHA-256:86E7CF64275697064B1A89D9377BDE56D8EE1293A21E57AE84BD8E2FB8279F71
                                                                                                                                                                                                                                        SHA-512:07410B21E565377D6F9CA84D4006A54534261EE7BBDD9EF360AE222E2D229030118C78A98108D1FAA8115BE8D1AB8F155A1240AA3E3EFEFA16AD1658E3B134B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.783953692294162
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6W2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlGCQMO:tMWzQWc9Nyb8E9VF6IYijSJIVxN/JjI
                                                                                                                                                                                                                                        MD5:83E20341704AF26C8FF74D9321B10C1E
                                                                                                                                                                                                                                        SHA1:A18DF150BA8D6D982A7CED9AB8B922C8BFFBD539
                                                                                                                                                                                                                                        SHA-256:705EB209C34E9E8407DB2B6099464CE9E7A18FF4B98333F12C65A6B75CCCAE36
                                                                                                                                                                                                                                        SHA-512:137CD3A31A5D06B9DD06E6F38E4DC16687ECB3398AFC1767C89AFD39B9AA87EE103A6E414857ABDEC286D9B2C9236C2EE99F24968EE35D93B02704EF0F57B9F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................(,....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.724716036489479
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fxDHKWAMWcpNyb8E9VF6IYijSJIVxlPKCg:pD8GtEpYi60Vq
                                                                                                                                                                                                                                        MD5:2337819E421DBF3C3315634681A605AA
                                                                                                                                                                                                                                        SHA1:76B72AD495AD0635D260BDC23BC7C206DFFB9810
                                                                                                                                                                                                                                        SHA-256:7B7737D5E647CB55BAACCEEE7C79869B5D128150E468CBF2108526C035B4DA18
                                                                                                                                                                                                                                        SHA-512:6F55EDD2426A45C8DC68F14AE5EC640E4A8DB515ED913FE7EC0831DD8BF075010336598CADDDB2FCC14C1959C6FF7FD49A1635C162CE4FFFD8139ABDD524246E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8309757576772085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qe2/g:QbMSXEpYi60p6g
                                                                                                                                                                                                                                        MD5:8F83077CD78C15C196B3AA4403A25361
                                                                                                                                                                                                                                        SHA1:27697D0A50410F45F3647E8F83AA2434D8D23084
                                                                                                                                                                                                                                        SHA-256:B3948D23C8370786B1A7FCDBE4805ADF3B116EA9F800F4F1A5BA9BAA59A094BF
                                                                                                                                                                                                                                        SHA-512:E0A3B4BF601BEB53425F1C3280F984177E13D4F025E7F96B54AB2105B15F628813BEB9E37E01D45FB334C21602A34BA2F865B963DEB97BA50DFEDD9F2D4562EA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................{....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.884464800766763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTXO78m:xumtEpYi60WlWD
                                                                                                                                                                                                                                        MD5:608CFA5936FAE45411397B435050646F
                                                                                                                                                                                                                                        SHA1:3CD38EC97A122C32859A35EC121469D600280E54
                                                                                                                                                                                                                                        SHA-256:E5EDDD5A318D1945AF4E45A3D00F516295BABB26E5D8AE6586EAD3C5F1F479CE
                                                                                                                                                                                                                                        SHA-512:C71502BE6AB04CD3944BAD137E53823C8FF48B589D28EABC80D74007083B59E3F8AD0441DDFF14926BA7E931B08B39977B67F15DB88D40B4F5AC9F0B0913F2FC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.830471433252565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6LnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1bAae:6Df4ocEpYi60gbNe
                                                                                                                                                                                                                                        MD5:22BADF9DD8B72261A211BFD011A4C8B2
                                                                                                                                                                                                                                        SHA1:3248AB6897B1B11E2435B2922516B1D425A0A066
                                                                                                                                                                                                                                        SHA-256:3ACE189115E9E0CBEF40D91113D2534065E9B3C7637AEC7FC2FCC076AB9821A2
                                                                                                                                                                                                                                        SHA-512:BABF37E5B9ED54ECBCA2F6F22BA1CAB012B7AEF98338DB8EA5C66B3C88FC6218104F317324F59B3F37DC552442683CFA07C144C930F2D928A5AFD9E8F3BB717F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................,.....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.671168291822592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Qh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBe+:Qy9gpEpYi60AV
                                                                                                                                                                                                                                        MD5:B2A7A924DE7A9B3A1BC24F97C96F46A7
                                                                                                                                                                                                                                        SHA1:63C105C2BE54181A927240CE53A245EEF5772006
                                                                                                                                                                                                                                        SHA-256:E6BF244EA19064E9E60800D7E126BA7C50410F7DF9C382EA34C83D296664BF8E
                                                                                                                                                                                                                                        SHA-512:315CA16713CB063AA712E1D513A0264C6C5CA95845F7756BACEE4F296EAB5DB9A55706C754254DB3A5DF9DF18C7BFDF32581760A5BFDFDF9743FA1AB363CCD41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................z.....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.813587934716137
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2na8WK1WLfNyb8E9VF6IYijSJIVxY4fz9:2na0ojEpYi60J9
                                                                                                                                                                                                                                        MD5:5716EE2738F8F76979155FDACECB5C0C
                                                                                                                                                                                                                                        SHA1:9A6AE1A93840839FA647DE64F6318D7F56B26D4C
                                                                                                                                                                                                                                        SHA-256:3BF698EDC3D060A83316B39224B6CB6568F6F6E06AABBE2BA2517DBC665DD4DF
                                                                                                                                                                                                                                        SHA-512:FDB045A6AA74D42EC14703BAE90156BF82C945610A967D985755A815476F1BBA2A83867169945C492679BB42298ED420323915D5E4967C8D05534B1667820A4A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ..............................a.....@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.761881198456678
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TBSWITWWSNyb8E9VF6IYijSJIVx3mR6CrIO:T6LyEpYi60WRjIO
                                                                                                                                                                                                                                        MD5:6DE7AC728A20BC60F092479E3EF06F6D
                                                                                                                                                                                                                                        SHA1:ABCCBD3458F0692B50C23423171BB4B72718ABD5
                                                                                                                                                                                                                                        SHA-256:E7F96EF21BC499872D1B80974A40C97524C788AAB36946AF04B08F32B2EC643F
                                                                                                                                                                                                                                        SHA-512:BE53EB4C43DE79C9FA0FE448C37879FBC0C3C1F85FA0047FBF93C9E1EBA8464D680E03F96154ACC42E10CDD85E2D3378736C72F0FBBC4CA2D589F4FEB0E0B195
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................!E....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8756068830878
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:j88cIIWNoWJiNyb8E9VF6IYijSJIVxJyw:j9cU7iEpYi60x
                                                                                                                                                                                                                                        MD5:E7E2D8DF7EAD9D209524406044848F25
                                                                                                                                                                                                                                        SHA1:2CD56D0483F23294671B5AB95F041E76ADB7CFAC
                                                                                                                                                                                                                                        SHA-256:3437DC1F9380D9890B77A06597901EE1C5B3DD5F9A889D7AA8A2F46CBE314BEC
                                                                                                                                                                                                                                        SHA-512:23E2467186C50BBF8468F70C17C1E44794A79766B88B75BC6F90E4B6758FB9714831A9F1C0831606BB929D69A812D6C86FBB843B48B231B1169E689C0B90589B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................M.....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22568
                                                                                                                                                                                                                                        Entropy (8bit):6.618631827128889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXUlv:XrmoFmWXX/NEpYi60bav
                                                                                                                                                                                                                                        MD5:1CC223DA2E4AC998C53EA59B66F356F8
                                                                                                                                                                                                                                        SHA1:975FC204A6D8B093F2331B3B7FC93E04680F5B86
                                                                                                                                                                                                                                        SHA-256:86EC9DD10202679A39E3A934825EE267F625C2D7D3D907530D57C3FA48B211CF
                                                                                                                                                                                                                                        SHA-512:C0A6ECE93E33F9E9512B3AEFCF8B3AC0E6ACC64B65FBB86217A28E70B60CFD6414F3C2730EC1EE51195DA00EE096CA13BB5183FA05DDA52042652EBF50AE5B43
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.6724040809809555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:U09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsp:VOAghbsDCyVnVc3p/i2fBVlAO/BRU+pf
                                                                                                                                                                                                                                        MD5:D1D58B64959C12A4FD927DD402163CC5
                                                                                                                                                                                                                                        SHA1:412A1FCCB056168F709DA18A57C70BA116C0A4D7
                                                                                                                                                                                                                                        SHA-256:F0A641647BA8FEA83ED81359106D386710147A8E5C5BD61B23F71B9BAE352D17
                                                                                                                                                                                                                                        SHA-512:62234C2B5531BF63C250DB381B7D642BD441D5EC61478CCEED76CDB03AA11011A332DFD9A5A98AB99D36B35CAA6672A09B562C19DF5C70BBEABA16F7FB8E4203
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................-^....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.829655689203351
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cRYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRFiylI6a:f7W6RWmaNyb8E9VF6IYijSJIVxZ7D1
                                                                                                                                                                                                                                        MD5:6976929BBABCA3037BD9C167A2F404C3
                                                                                                                                                                                                                                        SHA1:879B8D9EAAA33348417B636F5FC9C0352CA0D007
                                                                                                                                                                                                                                        SHA-256:C42091E10CB4BF21CEF687E4320F2A2C50C9EC0FAE63B642F4B3C44F2F2E404F
                                                                                                                                                                                                                                        SHA-512:FEA16FDDEEC9DC12652E7DC17EC402A117FD1F045969FA2AFED6AB0F09D31271933AA15592693C4D2EB82AAC8EE724641ADBAA4B1DDA6FCBE0CFF4016A6D1962
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................=....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.921024068511714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKiej:wI5HFwTBI8EpYi60lNj
                                                                                                                                                                                                                                        MD5:2DFC13FAC522AC63441125E17F4B8ECC
                                                                                                                                                                                                                                        SHA1:7C7FE89B151FBE4BD68F4BB292BDECF097E181D0
                                                                                                                                                                                                                                        SHA-256:BFC87A0F913B23E28636FDDC346D5C279E6F5B1023E6A80B1657047101646202
                                                                                                                                                                                                                                        SHA-512:4D8067CB2201BD92DBC45497C3EE3C7A93ED5859D309B0359F3490F0A5438D0E80E4C1A210F32AE142EDB817D7D721B171FE1B538260FA8265AC1E8DD81EB938
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................4....@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892625196711899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxn+f3J:PAJpWfkBAbEpYi60a3J
                                                                                                                                                                                                                                        MD5:045F3B062CBDD6486E81D56AD6ADB1F7
                                                                                                                                                                                                                                        SHA1:0A4DEC84E3B588FB09BE09ED4D2111477445B26F
                                                                                                                                                                                                                                        SHA-256:EFA9FABEB1009EEEBAEEB6B57B4ED2B0C3660EB43764A83668DC3010C70CA86A
                                                                                                                                                                                                                                        SHA-512:2A572BAF6058F5456F81D437F593A5FD58D9F05FF80E03DA760322025A09C6A790FB5BF11DFC21D38247F3FD52D03F3A0FFAE4F11A798C362A8873826B8B5F24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................([....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21032
                                                                                                                                                                                                                                        Entropy (8bit):6.539784818924537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:b8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRNzz8:W1dyAqgQBfqyTBZZEpYi60g
                                                                                                                                                                                                                                        MD5:4F86DC8958B2EADD05103A3973E2EDAF
                                                                                                                                                                                                                                        SHA1:80A96E28831D2A41C80172F680C0C937761BEECD
                                                                                                                                                                                                                                        SHA-256:051561A7CA00CA206A98FBAF018FD9EB51B2D42DAAF32AF0F7A2C8F7D145BE29
                                                                                                                                                                                                                                        SHA-512:7BE008DC538478E83C80934F4EBFE9E056919E3D764ECABE220600217ABCA46E1361C962280227B131D7E2BFB1A88BF3F6D4C69B58A224FE2C737AD7F93EA4C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ............................... ....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18984
                                                                                                                                                                                                                                        Entropy (8bit):6.681785803676866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8o8z:nsPMQMI8COYyi4oBNw4tBrcEpYi60S
                                                                                                                                                                                                                                        MD5:43F7E5827AF0DC34C13D7EF02B5877AA
                                                                                                                                                                                                                                        SHA1:89D7B88D8803DBE8DDC925E5252EA336F0EB2AE9
                                                                                                                                                                                                                                        SHA-256:63D90FC022D531AF33493D413FCD7C88553F0C47EA7909144F9CE4C76C0DF9F5
                                                                                                                                                                                                                                        SHA-512:64EA2414299E84137FA1828F96953F4B039B19C3A0B4527C19971B11A32C58C4044C7335EF76F384057FD52111A1DD682E12B52CFE5EC81E7D1B484DFE15F4F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................>.....@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23592
                                                                                                                                                                                                                                        Entropy (8bit):6.317272664503148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTSuB:VbhzkKs9TEpYi60p
                                                                                                                                                                                                                                        MD5:3F33D240969A76306AA2884F7254E84E
                                                                                                                                                                                                                                        SHA1:83E0443482D87D7537586E6C686CA8CD37E1DE49
                                                                                                                                                                                                                                        SHA-256:2B18DC264B14C3A8A553F2ADBD8E08643049AFC970E94A71CE9DD1CD120326BD
                                                                                                                                                                                                                                        SHA-512:8A16029FFB19805AD62846438792058C2CE83AB9916862EE65F8332F740C08B7E213D3261CEA0340323EB6ED406B416EBE80DAB002A49E10152FC492DC7E9B31
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ....................................@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8641760993802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sUcX6W9aWTmNyb8E9VF6IYijSJIVx7y5UA9:sUchXuEpYi60K
                                                                                                                                                                                                                                        MD5:90851FAA93AC21FA4BFF8B44E19CD3EA
                                                                                                                                                                                                                                        SHA1:55A2DF0C354E03E704C779BE91ACFAB15B0EDD2F
                                                                                                                                                                                                                                        SHA-256:2E0F1D274410F097DC9338BD152F996B8C0975D6E21BF6A0672A57EE54CE1482
                                                                                                                                                                                                                                        SHA-512:CE183ADDD8E5A93B08ECDB463F8B071537B4B4ACB44BF0EBCCAE3448FABBA67DC0AC85671503E94A0E7F86FA0353DA629653846C7C66233D3130AFDB8F956F91
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...............................@....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41000
                                                                                                                                                                                                                                        Entropy (8bit):5.950693749695141
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:EoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60v:TPmb9WKs0PeeUJ76m
                                                                                                                                                                                                                                        MD5:7FB055C905D9A39F3C6A3727F9973931
                                                                                                                                                                                                                                        SHA1:CFB905ABADB4763E14ED6C81FB53237B5535471E
                                                                                                                                                                                                                                        SHA-256:0DF92CC1C99757A8AF1F9E602C558BBD5951E7F74FB4B4818310AE62F14951A3
                                                                                                                                                                                                                                        SHA-512:C65200E385652D5E6EAB6D4C879C2F3CA013F661A70C7EA269FC2A56CFAAE7D1349E67228A0734334446DF7F5FD496F677A0D5EA389F00E1B3C9B4819EE8D5D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.894656801462163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jTI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypsikUt:jE3bnEpYi60ppJt
                                                                                                                                                                                                                                        MD5:5AF75DD465E0FB5499F26F7705C66EF0
                                                                                                                                                                                                                                        SHA1:B818D0D374D1481AFBBFC10ACC18FAE415884091
                                                                                                                                                                                                                                        SHA-256:03CE2EDBA81F2B4FC721152A43E50D897F3729EFC95FDAAA9B75FE1044CF8E9C
                                                                                                                                                                                                                                        SHA-512:014A9171C2EC833D33E0FEF4B23187583E4E2D75C81B61B6966A44F1598AD7D7FD458920189B0FCBD2F2C877B8CB3CD0395ECA155137803F8733B51ACB610EE1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910298478995302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Vcezoy4W04WGINyb8E9VF6IYijSJIVxmpc:VBzoy+kgEpYi609
                                                                                                                                                                                                                                        MD5:F21B83D02F3F41A17DA661D1946ABCFC
                                                                                                                                                                                                                                        SHA1:D9AE7E6A4349F630621F3ADA8DC4CEF314E90436
                                                                                                                                                                                                                                        SHA-256:F373EB334E331CC72EE6E7CFF66C1594F3DB4CE7C895ACE2DA867F114A84CAAE
                                                                                                                                                                                                                                        SHA-512:AA916DE4EE19F17D7B3938EE7BF14F72DA77B839A0C995EA43A927DF15889C2CAD2C6800F318454A062CA7B774D713F30A450771B561D8CA8E38BA98C76960BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................\....@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.795979658861104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zH/JWKpWDQNyb8E9VF6IYijSJIVxX5qd5:zH/j8oEpYi60y5
                                                                                                                                                                                                                                        MD5:0D53104075C8DF39D4A0CFC0B36A3D04
                                                                                                                                                                                                                                        SHA1:7336DA34B096A727A51D6D38DAECA2C4881B2778
                                                                                                                                                                                                                                        SHA-256:CBD5EC9F943F07404CC33A7956A40F925832A3338C65CA7DD9C312C2F7E03BFB
                                                                                                                                                                                                                                        SHA-512:099911E7BE7A6A25DFC952A007348A840D3FED8B92516E3B049E12A6F24EB7585CAD962658B242C0D19E83E7BEA07EC605561563B2FF14AD8A3890DC77349887
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.742301132485331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:STjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLJTx:SboYyFiEpYi60tb
                                                                                                                                                                                                                                        MD5:3D93A992DD312FE629AB5D6CCF850528
                                                                                                                                                                                                                                        SHA1:C071A9279B8443AE461A1C714CFFA487FF7CF359
                                                                                                                                                                                                                                        SHA-256:9742081D172405E3CA98842B5E1FF3E7BD0F5825066DE327EB4290A5D6BF5B3D
                                                                                                                                                                                                                                        SHA-512:618EF6B5E46AFE3835D7393A63FE7B3C4A73F17535913EFCCB4E310BEBCEE54708B6F9D80F0CE3E573C1525A39C1F15B3262E232B02109A8C0E46F646245B560
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................'....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8445483953916035
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pSKiWIhWG3Nyb8E9VF6IYijSJIVxLp8y0A:pSK8l7EpYi609Z
                                                                                                                                                                                                                                        MD5:FE7BC6211C4AF906699B28C485BEBE46
                                                                                                                                                                                                                                        SHA1:5C54F221F0C5BA1ACF39281BE2658850DBF9A60A
                                                                                                                                                                                                                                        SHA-256:A772F2AB0828BE9F22ADC5BCF14DB2114DE2A2FE20F0AAEBF8957043A5A5BB27
                                                                                                                                                                                                                                        SHA-512:3F50EC9CDA1873961D0BC5D5214310F4D0A2E28E8A66249AC11730EAC5A5F8A89EB136E1B9A49A4D9792B094ACAA9FB4BBC67B4F8F2E7DE4F9FF355C04B24222
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.789117842351263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:b0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8eP:QKRyhfEpYi603k
                                                                                                                                                                                                                                        MD5:49101FB80BE698D6FF2EB01FF7A02911
                                                                                                                                                                                                                                        SHA1:C7C94A2315F5B05AD5DF0A474E5C47A05306CD3C
                                                                                                                                                                                                                                        SHA-256:DBA9B817AC977A09A7D3045026FB57802ABEBA67E31BD1C1BFCCB2529300EEE5
                                                                                                                                                                                                                                        SHA-512:5040460E4E307037C3442D432ADEC67869C02ED8BC99B55E4D5191E3DCF53C0AAC3FACEC1BBC84E74A237D6507FE43152DD2152363018F9BBA699A4B77E12C30
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................).....@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874719627578481
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Sb1nWCXWr7Nyb8E9VF6IYijSJIVxnY3fHxk:s7yXEpYi60gxk
                                                                                                                                                                                                                                        MD5:B3ACA0F8C91EC33D1FB267FBF2DE120F
                                                                                                                                                                                                                                        SHA1:29EE280A3C25C7FCC75DDE7ABFB88693DD9AE46F
                                                                                                                                                                                                                                        SHA-256:AD8F66A8E2340499A3E2A885B8E9DB90A3125A15004CCE3B429E65C0E7DA9B16
                                                                                                                                                                                                                                        SHA-512:24F20FC78EAE801D5E0C3233043408922896A75EA6E5166F629545371FF203A6359555A68FF232C60544E98618BAA81494F46B578BD278461FC333CA82DC793F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ............................... ....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.774262964652296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/LyW7TWyDNyb8E9VF6IYijSJIVxRr9z6H:DfPfEpYi60y
                                                                                                                                                                                                                                        MD5:61C00354BE279E4DB20FFD3B5B326DD9
                                                                                                                                                                                                                                        SHA1:C6C9BD6E0970F123FC5CAFE714B768532791F5EE
                                                                                                                                                                                                                                        SHA-256:13D44BB25D9F5F27A3D26B3582A39A7C3896BEC2D54ECAB9C444F1CC6A4FE9CC
                                                                                                                                                                                                                                        SHA-512:3FFB5B41441894EABF232321932DFE746B968A3CBECD53E98BA96F630334AB3E4E2EF518125805EC831FB350F44B60F8328C3D57BFD038AED86507D702F2439E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.907819210404346
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:86Rb32WVzWwtNyb8E9VF6IYijSJIVx0H2:bRb3dtJEpYi60D
                                                                                                                                                                                                                                        MD5:92C3B5E46C974C9A12DD17F345F15A6A
                                                                                                                                                                                                                                        SHA1:641949D9C56F6B0B7866FD77C13B24DD760688CB
                                                                                                                                                                                                                                        SHA-256:99D5F16B1726D92FD674D66FB1F11FF89C33421866CC93326851FB2416F4B244
                                                                                                                                                                                                                                        SHA-512:08CE17508591BA7EFB6004986B69BE8CCE4B1FC12E316CDA3AD6E86EEEEFE1DA919396C659E9C4E201A80E6B52FE69AC0A391CFF5D100734218B63F614E90805
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................:....@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31784
                                                                                                                                                                                                                                        Entropy (8bit):6.534970290410218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xu5I+sqOylryry8qqIfUc7a5eMEpYi60J5Q:xYIVBpry8qqIfUcm5eF76i5Q
                                                                                                                                                                                                                                        MD5:D594D9CD12ADEC6A44A7930F4E6E57B3
                                                                                                                                                                                                                                        SHA1:EC68E31F107BB911BC6799B66449BFFD02FEE686
                                                                                                                                                                                                                                        SHA-256:09AC1AF349902D72C2C8A5106EA75A3E00475E16A08A1ADB06E1923D30C9FEB5
                                                                                                                                                                                                                                        SHA-512:109E912D34FA492134A821F080DE97F614F672F3BBAFCFD85DB8DF13731E31A81F75D1FA12D5EDC5A4A29F1DCC2AF6792A6B20DA1D5EF7EC2CAC2BB1F2C98BCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................j?....@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.87608762940196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Gvn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDaLt:ZS/I4EpYi60g
                                                                                                                                                                                                                                        MD5:9DE4F0B97176A6A5DFFACFA7D814AE5B
                                                                                                                                                                                                                                        SHA1:901344AB9C79E9710EBA25DB68D9E1528D81792F
                                                                                                                                                                                                                                        SHA-256:D77C918FFAD2F529CC8C154EB3C1ACF50DC542741BF7AFD9E70786FE81AE1B7F
                                                                                                                                                                                                                                        SHA-512:37AC428EDDFE7001A1490182DD79DC3F4830F2548FB3727E9F0F1D5224DB1DFA95988EB8284F39D29A852F9B552FB3073A8EA8C630770018AD7F88EA900E2FD6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................;.....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.766567453209908
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:38MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoI0F:sMjKb4vcGdO7LEpYi60EF
                                                                                                                                                                                                                                        MD5:E6089C386AA8BDF2C9240DF0098B0C41
                                                                                                                                                                                                                                        SHA1:5B4E1D708FFE66B2D4B86A765D063C7F4F3D39FF
                                                                                                                                                                                                                                        SHA-256:258FBB18BC7432053EDC7E098AFA9D0BB0A1068BB253068CD7449D87DD3C3135
                                                                                                                                                                                                                                        SHA-512:42BAC7E61967A57F41270C7F1C3FC48FAADBCAE207A54ED54D9E9BC5780C253C0A89F823DE5D222E51B82B2998748E7D9027944D269983FF9A18EAD7667D84E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................3:....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.857184391871379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYhPMu:OztEEpYi60cpb
                                                                                                                                                                                                                                        MD5:8D28AEDFA446EA70795D468AE16934D5
                                                                                                                                                                                                                                        SHA1:F1330A420CFF4FF24DBDF7E8378397FF80DF8A58
                                                                                                                                                                                                                                        SHA-256:7AE92817F37DD736529FB391768AA36F742E7BFA3D9082A2F244CF2AC521FE24
                                                                                                                                                                                                                                        SHA-512:0F8AA673889AD150A729D642CBA150FF8BF202ACBA41417F030CCB21922771C54715132D47CF814EF460FF199F54D645D2336C27CD37952ADB368C2FEFC9CE13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................G.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.859931444896201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ivs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm8Y5O6:IuM0xEpYi60PYc6
                                                                                                                                                                                                                                        MD5:25F33DFB6C83FCD0FC1DE251FE683DB5
                                                                                                                                                                                                                                        SHA1:790ED2654D3016B4470AF54FF8C5E2029E215B27
                                                                                                                                                                                                                                        SHA-256:409131B7270D31B1313182B2FB6D5219CE3DE607F0CBB82D98EC61DBB514FFA5
                                                                                                                                                                                                                                        SHA-512:BBCD6A5FDBF859F734FE65F57263AB9CE2586AD9228CAF4A4970F3DEAF0E47E4D65EC565356DFB78798F7C66DDA80535142746F9D51E5C230C5E89F81610AA4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................:....@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.827015314349416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9Jtlw2p:nFz1c60EEpYi60L3pp
                                                                                                                                                                                                                                        MD5:3D71ED83427BF05AB130F4F29DA2D701
                                                                                                                                                                                                                                        SHA1:46604588D91D51387CB8801591DFB555E90783B4
                                                                                                                                                                                                                                        SHA-256:15927B1892031F463E8E4B45104A41FA7090A313A75A4CACD81B1D1D95918648
                                                                                                                                                                                                                                        SHA-512:B35AE26ED42F5347BAF878F4D5E2764C30D72A38E021E1E3467C67F6D849E928FC5563628FAFD5DDFB9F8F5DEDF32702EC23B30F8BEF10E5D75FBF314528615C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................50....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.723652389565766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:X6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJz8dE:XaB/TEpYi607y
                                                                                                                                                                                                                                        MD5:6BEAC5BA1A217194D23572ECDDCE2759
                                                                                                                                                                                                                                        SHA1:FEC30E3B4EDEDDD668F891D3DBB6FC15BDAEE248
                                                                                                                                                                                                                                        SHA-256:7E085CC86E5B00BF8BC68F09C15F4B7866E38A15CDB1ABA4A32E0176CF40045B
                                                                                                                                                                                                                                        SHA-512:BD1D57184AE9E1DE828B36684694859EC1435BDEC7029F66FF06380FF3029344BC12EB7BA793F8D56E1903C3A593DD8A2796C81E57F6214318B39DD632DB9A27
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...............................4....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73256
                                                                                                                                                                                                                                        Entropy (8bit):5.9547665237514895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:G784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nV:G7N1r9KGI04CCAskwV
                                                                                                                                                                                                                                        MD5:B9DA1FE2089DE0A8B1814F5997FC72BC
                                                                                                                                                                                                                                        SHA1:173B1F7C7408E94A76927CCFC1D53DB9518E0E4B
                                                                                                                                                                                                                                        SHA-256:2D080E6BBEBEBDC9F5D474B9595746F578B5451E2E6D24A10CDCDD216F57AC2F
                                                                                                                                                                                                                                        SHA-512:3F38C7ED3EE6ED7B3B699E2C0521A8AA34357E801AFDFD175AA47925EE8B1E75A9BBB8C3C2F2342862689D5BB18262776F35407FD766F4BE46F064AC54446917
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.853900301591647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Jr97WquW6/Nyb8E9VF6IYijSJIVxkp9mGXZ:JRJKDEpYi60eF
                                                                                                                                                                                                                                        MD5:0C9A6CDE287F0B0C48902EA337CF7949
                                                                                                                                                                                                                                        SHA1:2074CD6D4642F0F659D17F923C9F84CC696D1F12
                                                                                                                                                                                                                                        SHA-256:B22D08A687ECAAB2E7475E9834560E2C4B00DC2BF0C7259CCFC81C44D2C611CA
                                                                                                                                                                                                                                        SHA-512:23567A5C1734E7667E4827049CAF6ACC1BCDB658895D2A413832C56E4C727E7BB120E1C8AAA4C66AC1CF21793A07E9F7F0237183FEA3763AC6ACB6506CDDDAC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................2.....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.791351843410249
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cvh2uxSleWLDW5wP8rNyby2sE9jBF6IYiYF85S35IVnxGUHFMsSAfy:O16eWLDWGoNyb8E9VF6IYijSJIVx4MK
                                                                                                                                                                                                                                        MD5:1EAD058E00ADC84AD8A50D569BA4521D
                                                                                                                                                                                                                                        SHA1:986087A3B7077DDB4F910D53F9E871A89E31D9E4
                                                                                                                                                                                                                                        SHA-256:3C9C5421BBB4324F0F6338882806A257F77965876F12824D43829EAE003622C6
                                                                                                                                                                                                                                        SHA-512:3B070330FCB4BC6C170C69B3DB0CA149C3CE8E81779F4B7254088DBC423A7E4D9E331F379467EE16E4DB1F8DAC69C223A369325707BFA0FC7B2301B23475FDEA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ....................................@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.7831784200733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:C8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxP4AZ:tGZ5OwEpYi60n
                                                                                                                                                                                                                                        MD5:18280BC3C94A054A45628EEC1DF266A8
                                                                                                                                                                                                                                        SHA1:DB5C8F6578CBC9BA93014883C027C6A9DE777F67
                                                                                                                                                                                                                                        SHA-256:87CE63CAAA2B024E97DBD1861F13119C5378D3C3D4C0B76B8E6F66CB5FFBA5C7
                                                                                                                                                                                                                                        SHA-512:9A6BF6FA0DF136566AD596FADD206E9FC089939500543817D341E4E9A2214654AB87966D6F5E05B211482DBDAB2F8E222837014D685BE564622EA11E3114CAE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...................................@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.89811663827779
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:F6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPUE:FYT1cREpYi6001
                                                                                                                                                                                                                                        MD5:B5573716CB6D73603A91A2DDD9417236
                                                                                                                                                                                                                                        SHA1:9647D429082395CBD82E71C7A4F126180591D1AB
                                                                                                                                                                                                                                        SHA-256:1B98B61E3ED9A990BFE7FE909ED154E743713202DCFA655B261E15788BE78605
                                                                                                                                                                                                                                        SHA-512:2BDE18B4A19AE18EA5F2507A0890CDB7B4E12C1ECEEA45719390CD8C0E86BF543174A10876195A9230B3D8A1D383A2C69B4C01CDA372FFB502B227170E53DE73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................E.....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.810703111667448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DUv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILSM:DM7c1m0EpYi600/
                                                                                                                                                                                                                                        MD5:A00D659894A0486055C5BBA1E09A5400
                                                                                                                                                                                                                                        SHA1:597FBEA2CB5249EE5AAAD13E3C8F6A347A70E53D
                                                                                                                                                                                                                                        SHA-256:F2F11E3A920361F15E107E5687E6662230DB520E196B2799BDDEED3949AACFFF
                                                                                                                                                                                                                                        SHA-512:BB0854D683871384FC3356740E5C54E3BB8802D63D4276E2EDE619C43F5D1E89792CF205B287FCF3D0436CB1B5607A081E81F4FE1FE8E389FAB8ABA563466BBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ...............................v....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.852365362100018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Dx+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nXYhlbR:4SWnRWJ0Nyb8E9VF6IYijSJIVxITYjbR
                                                                                                                                                                                                                                        MD5:897B4ACADE1E98F8EF9DF939AFC19DDE
                                                                                                                                                                                                                                        SHA1:A46F642D080DF919E8523672F614A1409FED7490
                                                                                                                                                                                                                                        SHA-256:FEEA00F2A302198673766E25C042A007503B0B288FC9CE0E2F65A3EAC4CB5442
                                                                                                                                                                                                                                        SHA-512:DE35426A127F636A5CBC043428FF0E7C0623712F2ACCEB6EBEC8DD855B9BD14BAD5CF670B2D80B801C138E0CC928AE797BD1DFC38AB69ADE58E925A4E3AE66BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92712
                                                                                                                                                                                                                                        Entropy (8bit):5.483010862843941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:72Ec05j4eAH64rh5fSt5T9nFcI94WYG76rF:KlK4eA7mDmWYGa
                                                                                                                                                                                                                                        MD5:7809B2A1A7F1E551303AE139883E715C
                                                                                                                                                                                                                                        SHA1:8BBB442FE28E28A4C499FF190E26AC892CB8AB1F
                                                                                                                                                                                                                                        SHA-256:9A79A4ED51DA46805218B6C0AC883D4DD7DB1CEA3821F169110B9F79DF8B1A0C
                                                                                                                                                                                                                                        SHA-512:70BC185D3BF9F31C94813359393E6595136857F28438AC98B5A85F84C3DF807F14B57E2F68AC499BC7E61855AB9CB32EA082532449BEB6AFA9AC3BF9B7D1E278
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................4.....@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3024123
                                                                                                                                                                                                                                        Entropy (8bit):7.999926956152327
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:XtwldCigFirCUvd1LJoZSrfzWZWrOwv5l10jYQMFsin5tKfgD768LjNx4dOOPHT:G4igFibvL1yUROkf1a4Cin5t6JKhOPHT
                                                                                                                                                                                                                                        MD5:384D6DA5C34FF401B18F0AF41E3A2643
                                                                                                                                                                                                                                        SHA1:3DDFBCF79E55904DF77DF2125F2112CFE7703EEC
                                                                                                                                                                                                                                        SHA-256:0699C4CCAA2F9E6768475F7FBD0DD93DAB1A0A0DC8859E9EE8F8A48AD1075D7D
                                                                                                                                                                                                                                        SHA-512:5B63245BEDFC7260B27254A33F621A8B626A36C13C8F8AD516F51013BD6751770D37AFDC1FF8F7646D9F972081ACD24776314405CC397762A4F58D6DCA0A7F32
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......<fY:'zY........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......%n............a....^&....#..<[.. .o>2)....W.PlphQ..%We....2...~L........\..1,5.1n..P{=I..9..|....:5-b..J..^..J...}...C:.....kA.G.Q.B....Ee....f..v+%.f....2......)cd........DJ.W'..D,...u4`e.t.u....B.c.T...u.;.v.7.Gs...+.1.%..C.ma.a.9...2j).......v.p....Z......I...,ay;.k..<...=[p.......NB.<......u...C.2..|".d.j......#?..1...]Z... ..%Atv....z....s.IH......R.....Rb.....EKM9...l...EA............R.....5g).......'S..o.(......|..oa..<.".z ...Z[My...`..s...3.v`M%s...fW0J..aD.-e....3iUQ~)s.<*7..{..3..d.<G2_w.7...Tz..k.)w.RR0.6*.0Sl.....3..F8..O..g..E.ahr.C....^.BPGw.Z"#?...l....X..z..o..B..K....R.?..`..>Bz..;0V.>.<.+.J.4/ ..V".4..~xl..F..,.qN..mQV.C..z.H....PI.'t\z~..E.>.|.9..<..W..Da..X<.@N.A...........<.$..G...$...g\(..._:.....{............".g....MX&.^......O'm.5..J&..G]XK.y...*y......Y.*.on.~....$*J.'..|....l......1.%L\.1V....*......._...g......<.EG..9.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):56872
                                                                                                                                                                                                                                        Entropy (8bit):6.184385666278393
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:pQG8WGQaZZdCf1LJiuyljLY+z/VyGICVbxPuYL4qtbeBtYcFm7B6K1oEpYi60CE:pQQx4L7VSybxiqt6xm7Bl1R76E
                                                                                                                                                                                                                                        MD5:A739B889642CA9CE4AD3A37A3C521604
                                                                                                                                                                                                                                        SHA1:18BCF6FD14C5AECE67AE795A3C505A0C1A9D5175
                                                                                                                                                                                                                                        SHA-256:44B96244B823052FB19509B1F9576488750C4EDAB61840AF24B10C208B47FC92
                                                                                                                                                                                                                                        SHA-512:92243E80FD77B9C3F9231C750935B34D9ADCDC76E1A45A445C47888A1E98FACA1C26F617459DB0C1AF4860A5172401F03E64039888E6F84726D2457CC550BAE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+g.........."...0.................. ........@.. ...............................B....`....................................O.......................((........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Q...k...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1251
                                                                                                                                                                                                                                        Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                        SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                        SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                        SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLV:WBTh
                                                                                                                                                                                                                                        MD5:0A4E3CA227D7488A6D35CD34C996A112
                                                                                                                                                                                                                                        SHA1:EAA59486A0A1C4C90F6CCE96879EBEBFC42A2CC6
                                                                                                                                                                                                                                        SHA-256:8863E1E0D918A36F4E570BFDA20316AE5A131FE3EDE970A83AD704059F5A2743
                                                                                                                                                                                                                                        SHA-512:400C3A3112AAA18027C47B5370BCEE535F8CE82B945DC96E16B81A99DFC8BEF6C0C996E363AB67336D746A602A3CFD70B989017497A1E55AF7663A336F5D15E8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.178091158418056
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:fgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tUn:f0jjnl1wuDYjQbQgLbZs8DWdKp
                                                                                                                                                                                                                                        MD5:524644D07DFBB5BA00BC10760ADC1A26
                                                                                                                                                                                                                                        SHA1:09F5FB63FCF2B98CDDE49C08C7F00AA1F5D736B8
                                                                                                                                                                                                                                        SHA-256:2A4CC462C8D4132D3E790225753250004BFB853D44C16DB9847D3259A31F72A5
                                                                                                                                                                                                                                        SHA-512:311657CF4C66771285DA324C0D3D669134994A1C15CBF6BDD93C9823F629F846C4BF82CF890B34055C213B5D0B0EAAFB94DA2A6B02BD46B85CB1CB8DA3F00489
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ....................................`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310416565021442
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgF:JNsii6v/HS0+OJd5gpKm76tgF
                                                                                                                                                                                                                                        MD5:AD1B43C318655C7B1718650CE2363B31
                                                                                                                                                                                                                                        SHA1:7F79895F5EFCA53625077B77A3A706FEE84AC8B2
                                                                                                                                                                                                                                        SHA-256:BC8DCB5453165431C14E42D8CC625B110FD1FFD2262A264B89E2B5919221E11C
                                                                                                                                                                                                                                        SHA-512:66D59A88B8D2AD20CED038FA1B21C8EBD5C05EE12488056EB375BCBBA9350A86E6B75C2BB96B6EFFA37F0DA4DBC92D0950F29DBC6383E93F45068180E104747B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................u.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134241628993444
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvZ:U+e55LgIkTmyAAfTnMLvZ
                                                                                                                                                                                                                                        MD5:6762019C89413E273B65BBDA0DDA1F33
                                                                                                                                                                                                                                        SHA1:3827B82672129D766441EE3A888FB20A214C9166
                                                                                                                                                                                                                                        SHA-256:0549B79D915012B84C8D2BB64CD5D5177BFF3CBB559EE25553F3728A8CF2FC61
                                                                                                                                                                                                                                        SHA-512:FADDD66A71B54FFEB1408BC740C85B57BE6476B79D5B2E048703B75D7450A24FC3B0F4B16383D0736A6AE5F29FECD95EBF3CF903093E411B6A97EC49B9FF725D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......>.....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.9605882988703245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:1Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:1Bjk38WuBcAbwoA/BkjSHXP36RMGq
                                                                                                                                                                                                                                        MD5:71C0AFD3A6612415A6435862DA08D819
                                                                                                                                                                                                                                        SHA1:B4C3605A5C2FF30737818B6EE5B3C18E1CEB1DD0
                                                                                                                                                                                                                                        SHA-256:4285095545443E727BCF3CA4BEEDA95AC3A3F285C12DBFB9604582BAE1CB7329
                                                                                                                                                                                                                                        SHA-512:7BD7871354FAB8A20E1BC7A49E295E11BA130571A9F964671FF4524556D79A3B6AA08A48068F93F48914AB9EF5396E0F35A75F3579C2B0B64C698203FBD98E22
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.675518692328492
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqS2:guhMaVmzDC6k0EpYi60H
                                                                                                                                                                                                                                        MD5:EA6DC0FE3F04F7FA84E1D85C8E22A9F1
                                                                                                                                                                                                                                        SHA1:0DB3F1C2BBA5AA577C25A6DF1CA0968C161EA4FD
                                                                                                                                                                                                                                        SHA-256:75427BEBAEA898009A0C375AC78D2D5B85ED8D82FFB47B2F426DDDA53488084A
                                                                                                                                                                                                                                        SHA-512:11FE2A6285690537553A7E3EA5B8183CF9ECE7F518F56095F91E1CA5CB5377BCC12CE3D64EFFEF83411CD0CADD6BC9B782B0E621FBF323B394644B2D03B355D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................2....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.26683606308263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:sYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zv:sKC9niwOepJ6TJPeb6NIUFg76Kzv
                                                                                                                                                                                                                                        MD5:89B48C386D60FBC7D9D3D8763B8072D8
                                                                                                                                                                                                                                        SHA1:BAFA1A4BA0A9851AE946C33C853CD9876ADF8547
                                                                                                                                                                                                                                        SHA-256:54121CBE1846804602A349FD840A9AD5156AF4C4C5CA3156EEF0485E66A11D27
                                                                                                                                                                                                                                        SHA-512:412CF12794691E760078E7FA51DDCFB53259FE1317B54656FA3691CC2A6470E2B76FE6F6399B7F23DB03C40C064151B1CCA44DECE66EFB85EBF7FEA93233AC10
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@.......v....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.17880192184794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHW:mh0qjC5RMOHO420kN19
                                                                                                                                                                                                                                        MD5:70B39FAB40BC008A02944BE1683A6E14
                                                                                                                                                                                                                                        SHA1:D8024C5444457ED030237B8BF208344A01783366
                                                                                                                                                                                                                                        SHA-256:2F106177FDCE0FC2DDD76E3D594784673B8C5F5770F829FA4A804ED3D6095D05
                                                                                                                                                                                                                                        SHA-512:F2F023D79126F2EF57284709F81D54F8953DC8D95A325A1EC68DB3EB3776C9CF150BDFA741C8473946A1A00D337E4AA3E10E9756508F424E75DBCCF22C1D6B9B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.6371360514611695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08e0:iCn6xYEpYi60k87
                                                                                                                                                                                                                                        MD5:420069A4BBE2752182591DDF01D72133
                                                                                                                                                                                                                                        SHA1:40001DB247DB85C1FCD1C8BE9E5ED7534BE888C1
                                                                                                                                                                                                                                        SHA-256:31CB62AD3CA98187D24183A4A9B6C91BBF3DD345A344F3152DF974EA6D75B6FD
                                                                                                                                                                                                                                        SHA-512:476046825D7731FABED1C7F4317A874DA1BE5F237CE44587EE157B25FB24588F57D14F15041D82A23354802D587414206C195F6CD4B3DEFDB3431627595F936C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50216
                                                                                                                                                                                                                                        Entropy (8bit):6.207311639251304
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:39m7rm+YASu8B7i8d4g/eDEBHqLxAh7f61IkBnCqbC2WEpYi60hx:vzB7zDeIBKtAI15Bnu2X76u
                                                                                                                                                                                                                                        MD5:B950A696F021C3959CC6A057DDEF79FB
                                                                                                                                                                                                                                        SHA1:69E192D4EC941B4F7CEFEB1877B619149B5AA7AC
                                                                                                                                                                                                                                        SHA-256:CA64A8CBD3E49BBD47F1BDB5FB293E9856947AFFD38DF6AA31587C7C652BEE6C
                                                                                                                                                                                                                                        SHA-512:C1A3AC50CE2E989686F8238C87B02CA8EA7FFF10631E0538FC7B0FD1E8F5C70C3E72EAAB51F392CBD0DA110686EF891FD5497F55F890749BADD0170136800E36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[]..........." ..0.................. ........... ....................................`.................................E...O.......................((..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................y.......H.......@K..Lf............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1140
                                                                                                                                                                                                                                        Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                        SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                        SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                        SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655016
                                                                                                                                                                                                                                        Entropy (8bit):6.267124988963532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:XCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjA:vlV1qKpkfqbjeGVr4NHYJ60iA
                                                                                                                                                                                                                                        MD5:C92C6FDD6C8D332F2549CBD0246E00E8
                                                                                                                                                                                                                                        SHA1:000A23105DA6036C0F0F6BE078B1DF1362A80017
                                                                                                                                                                                                                                        SHA-256:5E2DB8CDD4607D548B8A079A9C4E475C830FC28BE99587495FA018C17161AB3F
                                                                                                                                                                                                                                        SHA-512:94F9A86402CFDECD62B667C40F43513BA66348F3CE1AFF5A392DCD59E4FF952AC403F5DBD9BFB9115824ED1D3D281BDD79539AD22DC9105D4031FE3F7EDE4F96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.....e(f...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280616
                                                                                                                                                                                                                                        Entropy (8bit):5.690702355916042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC3:mJrycoB3HVeESME3pnaVTS1nh7hCaG
                                                                                                                                                                                                                                        MD5:12DEA6200DFF02423B75E3BCDB989844
                                                                                                                                                                                                                                        SHA1:4181D3DFD7B01C6E918E7627C9A781745D1359F9
                                                                                                                                                                                                                                        SHA-256:E511D5AC445A9712EA9A3125CEA961F3EF91E52074DD2EFF422F774B47C19C64
                                                                                                                                                                                                                                        SHA-512:32651D140AEC8A0BBA35CD81B399516A7FEC3B9E0715C70F5F566F9A0BFD997303B46A471F06DA1D4FA4096387BDC3EE7C23FFB312713FAF72A8EBE9014D315D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......7....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1185456
                                                                                                                                                                                                                                        Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                        MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                        SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                        SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                        SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                        MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                        SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                        SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                        SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2010
                                                                                                                                                                                                                                        Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                        MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                        SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                        SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                        SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                        MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                        SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                        SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                        SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                        MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                        SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                        SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                        SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                        MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                        SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                        SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                        SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                        MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                        SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                        SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                        SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                        MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                        SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                        SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                        SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                        MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                        SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                        SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                        SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1409
                                                                                                                                                                                                                                        Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                        MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                        SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                        SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                        SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                        MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                        SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                        SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                        SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                        MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                        SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                        SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                        SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                        MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                        SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                        SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                        SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                        MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                        SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                        SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                        SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                        MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                        SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                        SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                        SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                        MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                        SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                        SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                        SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                        MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                        SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                        SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                        SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342865
                                                                                                                                                                                                                                        Entropy (8bit):7.9992844075056935
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:9nQP7HqdkykjdqfvImDTIVfygNymRsl8aejvq13W/V191OQB6MBsUUnf7spSg+V1:9nQP7Hqdk/pqo0IVfb5na9Z619MQBxu9
                                                                                                                                                                                                                                        MD5:B3E14504A48BED32C53EC7AAB2CB2C8F
                                                                                                                                                                                                                                        SHA1:0BC0D486A5ED1C4CDF2390229883ED3473926882
                                                                                                                                                                                                                                        SHA-256:ADEA6001759B5604F60BBAEC8CE536A1E189ADEBC7394F9CFF3921CAE40C8C9B
                                                                                                                                                                                                                                        SHA-512:E5A5C09355EB9CB45DC872B59EDBD54F62F15445CA6CAAA3187E31E7928EF4453AE8405D9EEE5D2AEC4FA34965D3006DCF61C060B8691519A2312382612C683F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......i/Y.h.9........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0".......p.......(.|Le....r....W..........'.-._.{.a.b..-....6u.#."'+.u.9...B..n.....>!(.Tzs4a.g?.....{...J}...v..?.Q...........0.P..m.....2^...X..}k.....VU.HY.*.sZ..Y$H..j.g..p#...9..f/*.8...(...w...a.&B.`.bV/g{.....0.QRH.J.E.c.m.}!..T...N..74.r.*J...u,....\7...o...~.....>`X;.2i..g.7.^0..R0[P..."..7..t.d.........!#.}t..G.%7"p.jnG....(..Rg.K9..Z.#...w.4.351.......-.....v&.t.g?I.pA_.J..`..p,.....4G..h.D....d.:s..H..c....l-y\i.@.....lr.$..LC..._.<W.>.(..0B..rz...... V......v.{"........=..zSqA5.-..2...!.>..rB5g.....Tq.....!8\.S#.K.N.l[...L..|...i2..3pp..2'...Cx.@.<..q.\.<..J....&.\.X....mk...ic.....F.@r..^.^e.?....l#.9..Q..g..7a|2.@.g.h..:....|8...{[..N)~...6..i#.q..F5W.dK<.C..Wm..[KPI.......h.x..SO..m......6..*.........G.TS..p.Z.@..dx.N...\...OmO.Ho.l.^.#6.8.:eM4`...).yU....W....C.]......f.2....:...m;r..;...[...:D()2"....Q!S..ik5.../t.V..:s..f.a.V...}ou..o...j....b.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):74288
                                                                                                                                                                                                                                        Entropy (8bit):5.498724993681897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:y5TTyapvW7AM3ushkm7Xv2piJQ+VASa0oJoU0BaaOP/7HxZoU:yU48q230au/9
                                                                                                                                                                                                                                        MD5:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                        SHA1:BBA9A471E9300BCD4EBE3359D3F73B53067B781D
                                                                                                                                                                                                                                        SHA-256:C176F54367F9DE7272B24FD4173271FD00E26C2DBDBF944B42D7673A295A65E6
                                                                                                                                                                                                                                        SHA-512:F0A5059B326446A7BD8F4C5B1BA5858D1AFFDC48603F6CE36355DAEAAB4ED3D1E853359A2440C69C5DEE3D47E84F7BF38D7ADF8707C277CD056F6EBCA5942CC5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............z.... ... ....@.. .......................`............`.................................(...O.... ..P...............0(...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................\.......H........D..4............................................................0..........(....9....(....~9...%-.&~8.....}...s....%.9...(...+~:...%-.&~8.....~...s....%.:...(...+~;...%-.&~8.........s....%.;...(...+~<...%-.&~8.........s....%.<...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........7...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWl:WBQ
                                                                                                                                                                                                                                        MD5:3D66AE5ED06891E8CE75A39A24070844
                                                                                                                                                                                                                                        SHA1:368064119835D4376727A14706C41384446183E8
                                                                                                                                                                                                                                        SHA-256:73DBA8242FDB4DE1393B367A239F730ACA6713E6658BE69F1D8992AD26479176
                                                                                                                                                                                                                                        SHA-512:C0B61F92BB61A7BF90225D1BA5A1BEA0FC077C2481A2149663B546296421855AB3147C3A1F5372EBC920731624BC8578595C18CA9D138691C720FDCB86D03F8A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.4

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.180256382950937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwht:gQUm2H5KTfOLgxFJjE50vksVUfPvC6
                                                                                                                                                                                                                                        MD5:EBBE06F612E1C8B87E3D4AACA15A29B5
                                                                                                                                                                                                                                        SHA1:D2B1317ED96EC0C92CCAF7E85F68EE24F289413F
                                                                                                                                                                                                                                        SHA-256:6CD16DCE27E724C2DAA098F131343FFDBBED0DA5B7EF62542B421A0817DE3A3E
                                                                                                                                                                                                                                        SHA-512:EB079EB409925516118DB4980BE734A645B7444BC51862CE7C95D52E0697B7B937BBACAF421FC5AF1A01D3262C1B19A3CF9376ADB0A5537DE0973E0B7DDE63DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Rm....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960782910515381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:PBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUJ:PBjk38WuBcAbwoA/BkjSHXP36RMG8
                                                                                                                                                                                                                                        MD5:3B395830460C2F72BC6CD12DD096DB0C
                                                                                                                                                                                                                                        SHA1:73063C63D2B562310AF76ABEF2A8B7E697389C94
                                                                                                                                                                                                                                        SHA-256:F7BB07B7C1718DBBCB692AA4296EBEFD7CCD1E55F27BE00703A3CE623AD38D5B
                                                                                                                                                                                                                                        SHA-512:DBCAEDDDC4D99586F1E04FDA97E1C706FBC6BE7BB766E0FE73ADDAD3116517010A3C1C92D7F54D71533B4C4459631966D8D0CF370ECF1F789F7D25FCB2F5A64E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86
                                                                                                                                                                                                                                        Entropy (8bit):5.047830598376699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YhKSLJf2B4VXwAxUbTU3OtJNFHlT/j1tmz14:Y5fVsUe7rHJ/jo4
                                                                                                                                                                                                                                        MD5:9D4C143EF9DB298CBDCB1FF8859C7EFF
                                                                                                                                                                                                                                        SHA1:C0D99A35D76FB1CA8BA39B72E55EA744A1E1E896
                                                                                                                                                                                                                                        SHA-256:185393A0D2DB5944370763A82E04280C4862E9F1D7A22CDF0D98658EB11EBF74
                                                                                                                                                                                                                                        SHA-512:B08D16A0E293C0364EF0016B44128F52F82D6F573F81830D24A3FA9CB0BBFDEF4E1764FE8671C4813A40670A142F57788EF14F69E416EE0E22E917A03F740916
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"DownloadedAt":"2024-11-08T19:16:19.2269007-05:00","Hash":"aq6ZFTx4Y1PHUL+PXJd5sQ=="}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):88
                                                                                                                                                                                                                                        Entropy (8bit):4.957011170812698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:KPpTHKE6LGKWqKRLXsmfWoVUgXAQJ:KPpLflKWqKRLX/qK
                                                                                                                                                                                                                                        MD5:5A363144802DB69039EB52DF75D5C6DF
                                                                                                                                                                                                                                        SHA1:799BA83CF5C318A0DCEC480A92A7A6E4B0793DFB
                                                                                                                                                                                                                                        SHA-256:074D235D175E40B7D98B243FDEB7CF4D8F520512A76DD88F7DABCA5B3C4AFBF0
                                                                                                                                                                                                                                        SHA-512:FF64A1D38E3B3BAFE1C5A7FA7612B0664748DB2C02E2D0B8448DE5DC1B0E8A30952348053285397FCD88114B0FD642E3DDCCBB3B87BDDB92574BA8448304F7DF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..08/11/2024 07:51:05 Downloading installation to: C:\Windows\TEMP\SplashtopStreamer.exe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):662057
                                                                                                                                                                                                                                        Entropy (8bit):7.999353949499206
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:BBRK7zkUGwDTrw2rTX8HkklhCrdD2TpNwjaIj2nW7+7nZh2bdb:BBRyNJDw2rTX8Hk5rZ+IapZYV
                                                                                                                                                                                                                                        MD5:7895698867D1AD33934A8553B4806DC5
                                                                                                                                                                                                                                        SHA1:32704DF55DEAFF9BF0B4EE0B887541856578938B
                                                                                                                                                                                                                                        SHA-256:EF5854B5E800A534A08C083D4A3956DFC0A474FF540CAE9BF0A9077A213B2FF9
                                                                                                                                                                                                                                        SHA-512:20337093DDC5322C4B96C7BF26F1A0B966FAFDE70A96F7E9B5E9D36ACAC7D862BD2A50CAE9A63731B23904A9256C94CD3BB4E19768130580511EC4C408536A58
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....B.]Y.]Up........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j........A.U...6X;..qH?(.8....1...FU..ux,....R.mn}..p.8.}m..N.o#.. <..Q.t..\...hP.9.....n,..X...%......S% ...x..+&Dq..f.Ao..o9.B .....?..-)X..v.,g<....5.|.....[.z<.&..D.P.(..1 i....{....G_.2.[m....Q...7..~#....<Aw..w..o...U.?...2....9.5.{e..H.$.,..T.C.H...siX..f....D.Pf!.......f.87e#......3...x.I.#...-..(.;....w]_.8#..\...a.%.K^z~...a}..~.g..C...@ek,i"^>s..c.'......Y.\.h....=.V....<.c..^B..Z....%..|'..3m..@}n..F..x....+.\.m.4..>.&....L....<.......y. ..X.K..@m~..>`1Y. ...Pv.Y.c.....w.....h.y.yL..|&.%}}Nr....E...u.4..`f...}..1...)...r..>).M.n.I.>..B........>.>...V...8.W..-.U..a..E........_#`y..X.....S..e..^.45...s....wp..$.r.D..+'....p..CK..B.=..q. .I.1r..u-9ZB.Oo.M.....3.._............:....K.....G./...I...d]p.....ht...k~...t..!.1.sf..?......k......A....n.3...\Z.f..l...X[........S....f....pG..p..I.... .(........E..F.u.......|..;.!.....w...%uL..i.V

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.276903482604295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MsK/GcLpkOGiHuAQ+INjkfEQ3Tnz8AnTqLx3OEpYi60nN:M/zpqiOAbINwfEQDz8QIx3v76GN
                                                                                                                                                                                                                                        MD5:C0F02EAA3EB28659D8F1BCBA8DE48479
                                                                                                                                                                                                                                        SHA1:5BE3C69E3F46DAFF4967484A09EB8C4A1F4A7F0F
                                                                                                                                                                                                                                        SHA-256:6BEFB51A6639CAE7E25570F5259F7B1F2D9B9B6539177D64D2ED8BE50DDE6268
                                                                                                                                                                                                                                        SHA-512:47B536FA628608A58F6F382BBC99911EEFF706BECFAF4B1C5FF904CA768917F40C2E916BA5A31992DF0335BA5A57755F047F70AAFAAC414FC655DA0CD6F95E34
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0.................. ........@.. ....................................`.................................D...O.......`...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................x.......H........B..dq...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):923
                                                                                                                                                                                                                                        Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                        MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                        SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                        SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                        SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                        MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                        SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                        SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                        SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.1656661918593905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:f6sg/V5pWyNoWSh7Wyt1M2MAlb7UkN9/EVYFfbQgL/BR18xRUmHkEWpkGI76jC:fI8/Mmb+afbQgL/f182iGIJ
                                                                                                                                                                                                                                        MD5:6C7379E62BB26D3368555BDD5CD83E88
                                                                                                                                                                                                                                        SHA1:A406C91F1FC52525244B9E9EDC2A2188154A6109
                                                                                                                                                                                                                                        SHA-256:B87F055078EC819250F49ABAF196D42ECD994070BE5C14A9A157E783BCDA39B4
                                                                                                                                                                                                                                        SHA-512:E3FB4CE3826F39F8949EEFC147D7D07F2DB0265D421710A0058DEBBA9EFF21294563FDBE62020F42649E7E4A98CF63398C7F1D14E66712C5EB8EDA1D0C4CB5D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........." ..0................. ........... ...................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H...........<!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310423924344811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:LINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wg5t:MNsii6v/HS0+OJd5gpKm76tg5t
                                                                                                                                                                                                                                        MD5:75A85EBD35C909B1AE34FC3F37500E53
                                                                                                                                                                                                                                        SHA1:B7527367D4860841EA922589D66B928B27FE53CE
                                                                                                                                                                                                                                        SHA-256:D3C5160AB184F88A1CCF47846AAF8402200FCCD509B31A73B8AA19F529AB14FA
                                                                                                                                                                                                                                        SHA-512:96F4B49F8FA28A20CA893D69D7432F07D516C15C0FBCFE83891F832C15D1883518487410165206D481CDAB48C130257C073AD626E6F318F2DE31A441443CDACA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................1.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.853907358895156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w1c5uLPirbW34/wUNyb8E9VF6IYijSJIVxRFTNUJyXo:w1cKmENUEpYi601U4Xo
                                                                                                                                                                                                                                        MD5:5F6C8C110454CFAC8B8EE908A953868F
                                                                                                                                                                                                                                        SHA1:C6A2B66C840C0F9324AA255AC8D6E440B2F2F3FF
                                                                                                                                                                                                                                        SHA-256:9E203ED95084AB3B3F3C199712E9C76DB4D9FB3AA5D6BF004ADA9FEE328B6AD5
                                                                                                                                                                                                                                        SHA-512:F682720C6BE19E2B1CDE3C4A03D7D1D7211A3789127F13C1C283F838B8045EAEC4B5C570DCB07ED054BAA5C23C839836D13D0DC8F00205B34862A185C581F537
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0..............-... ...@....@.. ..............................9|....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1017
                                                                                                                                                                                                                                        Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                        SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                        SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                        SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134219330910627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:YjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvl:Y+e55LgIkTmyAAfTnMLvl
                                                                                                                                                                                                                                        MD5:E8815AB9546D6E490D2846504034579F
                                                                                                                                                                                                                                        SHA1:0555312ED1C700ECBC37BFCDE1140FEEE906FA0A
                                                                                                                                                                                                                                        SHA-256:4A48F3331F1CA29F3CD57658716A39837FCE120999CEF8E44B71FB885DBA861F
                                                                                                                                                                                                                                        SHA-512:67DF21BA4AEA22ED63EA7CB1E9E670815E88262E324D340B2BE7DD5361F770B12064F56016F1CD41024F6846E84B3EC0D4C61A5EE71FDF11879A7E714B0169B3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......N....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960700768144483
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:xBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUQ:xBjk38WuBcAbwoA/BkjSHXP36RMGh
                                                                                                                                                                                                                                        MD5:C1ED198D6A5A3B91803AE06CAD22C3F1
                                                                                                                                                                                                                                        SHA1:CC59677BE3ECFD80EDF5D1CF2EB90742092111A2
                                                                                                                                                                                                                                        SHA-256:D46156C73123F9E5F3008C58461EB19DE5935A21FD33366C4AF02682AB42C8F4
                                                                                                                                                                                                                                        SHA-512:26CDBA17B6546F8E9D43243EB708FCCA5DA8EB19AC164695DADB944F71CFFEEC908E9F269FE90F0163B332164D725CF0494AAB165677B588B188FFEB888D964B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.705325491847164
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dqHstMuvMK2tFNyb8E9VF6IYijSJIVx8s6:dXMukKeBEpYi60y
                                                                                                                                                                                                                                        MD5:21A4630C5A4D88DAA5C57E45FFCA3A7A
                                                                                                                                                                                                                                        SHA1:CD8D4B45D46F10BE5490D9A14D78C2F1B65288C6
                                                                                                                                                                                                                                        SHA-256:4869FC8C272289D814DD591294C9189B4D937DA08EF899D47D79D8D74557977B
                                                                                                                                                                                                                                        SHA-512:5B8650D6121AF5074EC65B59EE2067AC013AAB3E888FB1777FF6533F9125C453E9CEC24843468DD6C4030807CA988F9FD0E338AC54BA391C53D2F484BC4310E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0..............4... ...@....@.. ...................................`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):975
                                                                                                                                                                                                                                        Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                        SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                        SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                        SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.676761287031738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Zy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqgzXU:ZuhMaVmzDC6k0EpYi60gk
                                                                                                                                                                                                                                        MD5:66084E1A2EF0F7EE9C19238C7F6D6DFB
                                                                                                                                                                                                                                        SHA1:0DE978530731CDEF53D0302D7CA32A5C56E3856C
                                                                                                                                                                                                                                        SHA-256:A1078DD6A3A1AB3FD28EB1B5EC10BB126C14807F3DBDA81650F75AC79AEE7E46
                                                                                                                                                                                                                                        SHA-512:97A4A18878BF64C20869F4A1A60CBF2A12D57413FB197C15A547CE5B1BCCA31FE36D11A4F5B300F23179C8B153B76E3C73D311545C67E6694FECEA706BA6914E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................,....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266538479286202
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:HYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zPk:HKC9niwOepJ6TJPeb6NIUFg76Kzs
                                                                                                                                                                                                                                        MD5:6D09B622635ED02D52600299F6102645
                                                                                                                                                                                                                                        SHA1:BFE508CD7D9F302E1A5C26184A46B752F64CCECC
                                                                                                                                                                                                                                        SHA-256:4E27A624A06023843D8369ABAC1E042845135AF278486FD86C3680928AECF66D
                                                                                                                                                                                                                                        SHA-512:6C4197E00E0C10ED1FF8E073A9D080C9C913A4CF2CB1B80F047B76F788059604F60F7D750A6EE8E66C65AB02BB847E4CBF737397B9E2C849A633674DAAF9AE96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......t.....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178769713478036
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:CP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHF:Ch0qjC5RMOHO420kN1+
                                                                                                                                                                                                                                        MD5:825B1939391B03517732A72AA489B50B
                                                                                                                                                                                                                                        SHA1:B8B1E37E60C68E7C73D42A7C532E507DAE1B1D4C
                                                                                                                                                                                                                                        SHA-256:B1A7D040D2CFB5DF692BDE7D5C2CEEDE266D9A7B31804658FFBDAAA147E36C39
                                                                                                                                                                                                                                        SHA-512:74C71265D4AA0FE2B409DB33CE40F83D1208F225808AF780DDE72E02ABE1C9BF431630BB9CF2D46E097400DED78D6B9456B41643EE0C5B5C4C3649C5B30B0241
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......-....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.634307366985014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2TO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08V83Y:2Cn6xYEpYi60k8yI
                                                                                                                                                                                                                                        MD5:72823338F267AE2E3B0ED7AB100DE427
                                                                                                                                                                                                                                        SHA1:C03CC9B7F7B1C2895A8568A3F579F154BADE75B3
                                                                                                                                                                                                                                        SHA-256:C29D08E8169DA52E8027AC9755CE99D81B2882B8A1F55648BBED8DB2A85B2BBC
                                                                                                                                                                                                                                        SHA-512:784F69300FD79F62556D473BD37A21ECFB743B5D063CF49299B35101A8399FC2A6F208D3A656C261180DA2558AC5FC93E397131BA0F9C1A2AE3B410328684B52
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ...............................W....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3265339
                                                                                                                                                                                                                                        Entropy (8bit):7.9998753634262805
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:wXFoIT/tvGX5NRtboDmkXHZFs3YTC8joGQ:wXFoCVvm3RkmYs34/or
                                                                                                                                                                                                                                        MD5:85E1898362165FC1315D18ABB73C1B37
                                                                                                                                                                                                                                        SHA1:289A48BA5EE27C0134F75E243C55A90D32C11A05
                                                                                                                                                                                                                                        SHA-256:D0594B261E16394244C64289DAC00367FDC853A1A8E542E0E814A57494C5228A
                                                                                                                                                                                                                                        SHA-512:49FDBEF67C2A85B5D319C26E6E55456C94D294B836C946B9966C8746FB33DE4EDE62B93BA91AD657DF4DB24FDB3EE1DE7395652AE1086C876B7D0B85000D594A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....BYfY.GYZ......../...AgentPackageTicketing/AgentPackageTicketing.exe....(........I........pSu.&.VR..9K..N.e...s.I..-.G.....#..t_k.#`.......+..Y{..~..W.}......W..{.ft..e;.-..4v.....`.n#...,.wWR#.^x..g0.~..1....v(....h..YS../!..D/.....8L.....l.....d.dsrMK.5.T:#.#....~....kF.G.."S...../?V#G.....;T.....X.D.1....R..UkV..C.6z...3"...Ki%.b3]W.5..."5^Z!.3.o.IA.S.....Hz.C......fTW*...F.....q..........i..Tn.JW...4)..7e.. ....^.O.4*/...=.Q...$.....a...{^_d.dr..&...C#.....!1........{.UP...<..z q6.[.NR.^H.r.{..........~g.Y.a.'..x{."G.+t.......f...J........U....!.(.e.$......jd...AB.........r?[..!s@.........=."cK..K!.L.........X*...h.U/........u.%.........'5..:.in'...>hk7....u..+.h.0E.0....~..fI...?...[.......`h....f....j.yQ.0....6<.....KM.M...~.~...o.v.`?...T..V.....t.B.. S...:.$.!w......V.~....x........./8.......U..o..4..l.....^.L.+...ya.|.y..*....V6l/a-........w........z...iU`&.Gu.8.......Y..M,.B.....=s.}P..%.Ug.0"E.....]..r.....P....Hh...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33320
                                                                                                                                                                                                                                        Entropy (8bit):6.302751646709905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:b2G6bukIMKWcoBYRYm2uNNKAWFkfoi75yVUDMMXpO6FREVugmRNyb8E9VF6IYij1:OLKFvbJdUExLreVugm1EpYi60b
                                                                                                                                                                                                                                        MD5:F531D3157E9FF57EEA92DB36C40E283E
                                                                                                                                                                                                                                        SHA1:D0E49925476AF438875FA9B1CCFB9077FA371ECC
                                                                                                                                                                                                                                        SHA-256:30AA4B3E85E20ADA6FE045C7E93FEE0D4642DCABD358A9987D7289C2C5582251
                                                                                                                                                                                                                                        SHA-512:27D247AB93EF313CE06FF5C1DECA4B0819B688839C46808A6BE709C205C81B93562181926A36A45A7DA9570BAEA3B3152B6673A3BCCE0B9326C7D3599A3D63C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0..N...........m... ........@.. ....................................`.................................4m..O.......4............Z..((...........k............................................... ............... ..H............text....M... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................hm......H.......p4...7...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1537
                                                                                                                                                                                                                                        Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                        SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                        SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                        SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWC:Wr
                                                                                                                                                                                                                                        MD5:E4F836B4F3891BBADA14E96E3A14DA0B
                                                                                                                                                                                                                                        SHA1:7EE80364384F7B8D2E17F2A88CB525DE5EA35E0D
                                                                                                                                                                                                                                        SHA-256:F0F039EFB829B599B2848F130363C6C64ABF1715C3DBC909B3080E52BD88865C
                                                                                                                                                                                                                                        SHA-512:C7F31502846570D9BD3C3B570259ACABE9036A94A5D006F51A6C02E85CFA24B522D84C3BF9DFBFF091A2BD91B5F606537061E77917EFCB48ACB4E77C9A6DAA17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.1

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.180052759903044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj76F:QUpviy8UHTRxrybQgLbGm8FUpj3m
                                                                                                                                                                                                                                        MD5:97A69DDA383FBE34325726EBF08F71AB
                                                                                                                                                                                                                                        SHA1:5551E93C80FE2EF2C1D421CCB5F755C36D55A1B3
                                                                                                                                                                                                                                        SHA-256:D3C8B89DBAC2CB26FC0B1F5F7FAD9D549195A28D694455109CF618F5B38D33AF
                                                                                                                                                                                                                                        SHA-512:CA8147C0CFD338CDC99238B3B6AE6CC76B6EF1506F37E076B975ED8CA35C3CB262543ED8C88C9F4F72F1A6E8BDB41ECF8504F69C0B4D4F0C20FFE968C496A065
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ...............................~....`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.203328996620754
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhj:E9XeDmzV2yzlhKLFU1lLVp1+2flYFnQG
                                                                                                                                                                                                                                        MD5:8DE7772DDF2A0DF4675EFD16E4735D4C
                                                                                                                                                                                                                                        SHA1:2F50EF70C9E13C2E6B4D75C9A975A05D7309FFE0
                                                                                                                                                                                                                                        SHA-256:3307A88999CBFAEC9D3380ED936AACDABB72B40731382D660023FAC12B97749A
                                                                                                                                                                                                                                        SHA-512:BBB520767A13C61C3BA34A9E1029FB734299A6FBC2D67F7C2BB265608665424CE2692EAB585DD9418C3BE7B89B93162D63243E2BDEC271A0A0B5444DA6E834B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310977200199562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ZINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:eNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                        MD5:37A74170412F7E806A24B640FCAE7EC6
                                                                                                                                                                                                                                        SHA1:90448127248633B5CE6A0B890F33F09A523A0D5E
                                                                                                                                                                                                                                        SHA-256:BC4B76BEB03D4B09B48441CB0039FEC91F844196E73A258AE6225E524B2BFCB5
                                                                                                                                                                                                                                        SHA-512:41E87A409E54E63C853041E966BE2E4E625469EE942DD251F64271EA2D8657D22B0C5F5404E43DDDC8EA55AE765A8168228A80BE8B2C1677974DB708FC58653E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................f.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.671409310333907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFJ:8SJh5tIYQzT5zyF60aEpYi60b
                                                                                                                                                                                                                                        MD5:707F4569B38DFA3C72FDC964F8472C92
                                                                                                                                                                                                                                        SHA1:F98DB57DF20F0ED9310DF948837E57EF8D60719E
                                                                                                                                                                                                                                        SHA-256:0B78ABE856BB9DD793B81CC0771A5188F4A9B86DDCA57671E3E77CA4B7FA0192
                                                                                                                                                                                                                                        SHA-512:B8C4C1F28CAEF3FAC4F7B8C9A01413A2E2B351668E0E0B93D8BAD0C43219D175865C493C33A232F0C662174EFBCFA812E07DFD3C10AC63D17018E5372C59D760
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................k....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219176
                                                                                                                                                                                                                                        Entropy (8bit):6.062499353482465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:gYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlc:gYqqbe2CSod5dtM8ww7P4
                                                                                                                                                                                                                                        MD5:A1EE7DE3F698BF1EA25A8979D9E5152F
                                                                                                                                                                                                                                        SHA1:B8C58F0AFD24E322A032171B9A5AAA74114A50FD
                                                                                                                                                                                                                                        SHA-256:2A38E10454BFBD94AC61886A66AB46F498529924963EDDB95C9980DBD2EBC2C4
                                                                                                                                                                                                                                        SHA-512:77BFE85B53BC4B409D2C25629A19D29C1CD3F24DE212871B739FE97D8AF5D9B70E89E7DB6FF23FCC46E771F2431E7C97D3B17F08061ECB593F319E78501CA0A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302120
                                                                                                                                                                                                                                        Entropy (8bit):7.175764387769887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:LVi5mx115y505H0jIfJMSFk9X0jIfJMSFk9p:hswJMykwwJMykp
                                                                                                                                                                                                                                        MD5:FD82F0A09F58BDBAB946BB48E8CFFC1D
                                                                                                                                                                                                                                        SHA1:93A3F10F4BA6AA84B4A9C3F7D2CA94548EFD6B83
                                                                                                                                                                                                                                        SHA-256:DCF71123BE9AB08F1A71F9F0987D6CBEFD53DC66B4A6BB6C8260ABEC145233BE
                                                                                                                                                                                                                                        SHA-512:A21C2C461340B47C80F9984AFAEB0A8783F0655A742FF5F7A2D16CDAD59D25E45959FD2299C7DB98BE13986F16E95E6774F38489824719DD92058ECEFB6C8680
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J3..........." ..0..l............... ........... ....................................`.................................K...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B........................H.......$W..(u..........L...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215080
                                                                                                                                                                                                                                        Entropy (8bit):6.0303185411774365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Y1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sg:XIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:EB52EB05FFA0E3CD25485581883796BE
                                                                                                                                                                                                                                        SHA1:BF9A76B2DB32FF3DB9AB999C34B51056A05EF288
                                                                                                                                                                                                                                        SHA-256:BF040E1C2BD2216D0D661F5C1EA4DF1F3526EEECF4EBCCDBA56DD677BB813F17
                                                                                                                                                                                                                                        SHA-512:3FA920BDB568B7BA87A4B0D4DBA594A04FEDA6CA6F56298AB5C4AE66F76671DC8B2A1CB6B12758B93470087DEB443120E7C985C2FAD217FC91CDBE27E5BC78DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................._....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134117423700613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:yjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvk:y+e55LgIkTmyAAfTnMLvk
                                                                                                                                                                                                                                        MD5:30A9C0DABB202EE229EC55D4130D3D31
                                                                                                                                                                                                                                        SHA1:9DFD72765AFE775560F0871B089380736DE565CA
                                                                                                                                                                                                                                        SHA-256:54CC4581F6D88F77BFE4DB8628D763E9D111836024476C58B43135E9B07B808E
                                                                                                                                                                                                                                        SHA-512:8B092220F4F825E21CC1F20F52563CB0A812D7EE885B3FF4B618343BF5FBE61A32A3587E6CF19293C2E76A99AA156BBF096BAFC585CA9FFDF56FBB56BEDFC72A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......@9....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.96062510170894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUd:vBjk38WuBcAbwoA/BkjSHXP36RMGU
                                                                                                                                                                                                                                        MD5:9BAE200AC815334531D1EBD0B2328050
                                                                                                                                                                                                                                        SHA1:9757F595684A41065A7B326DF777D9F5E2384A7B
                                                                                                                                                                                                                                        SHA-256:5E67AE7EC5BB6A12B46C7C4028C76580C4A8BD583A4A6B63AE3A417CA9D669D3
                                                                                                                                                                                                                                        SHA-512:5959B41DC37199C03783022227D456C7DC2D81BFC8F6E6321DE4F968276CB83BC6D420C1665D0092D5B89C56F726F7C25DAD78B7D8DA7583F952A19294A3358D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154664
                                                                                                                                                                                                                                        Entropy (8bit):5.990669081913453
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:q4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3nXyy:q4wZywKn/U5xEwKIk0WI
                                                                                                                                                                                                                                        MD5:6BC1F35C566DB4ECD8BAF3743D2870E6
                                                                                                                                                                                                                                        SHA1:601715D1D9819B47C82B319FE2A4997BA309E253
                                                                                                                                                                                                                                        SHA-256:A06603E1BED06E77D6AF9F074B5B9C38FC1EF071642DEBB9CA7346E7A0DE43BA
                                                                                                                                                                                                                                        SHA-512:8FB6F9F2633FAD6E52EBD72508B6ABFB018D084FAE208E5DB78058A4C56440241606F37EAB30BBFDAB9FB12A47A5355B077884CEEEB45DEB6362F818358ADB24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................H.....@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.668355487331651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAwBr:/rMcXP64LEpYi605r
                                                                                                                                                                                                                                        MD5:605210914808A62CA857B3F8D108B90D
                                                                                                                                                                                                                                        SHA1:64E76CDB5B64664EF47670B9163BE8A9D50E548D
                                                                                                                                                                                                                                        SHA-256:C898601F4343913B0F1E9858A743AAA9EDB939C038A9C53533BACF8337FD9B71
                                                                                                                                                                                                                                        SHA-512:C0EEF0A097805E6F430E7FE593387CE8F03C6E5C5F921EDCA6B61378DF0A928EBA12945AB7ABC7A347BEA3F463B3E2CAF811B832EE832B30BA03B244D60D901E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................f-....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420392
                                                                                                                                                                                                                                        Entropy (8bit):6.109606170124341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:u5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFL:upjblhW1r
                                                                                                                                                                                                                                        MD5:C5F7EE9E0C29B6C6EEAEFB5CCA587583
                                                                                                                                                                                                                                        SHA1:899F92435FA37001A2A1C68F02FF2AA08398F074
                                                                                                                                                                                                                                        SHA-256:A3F70425EBD28D6C5D908375411BF1495480DF1A4E74FB4DB55890830B54070B
                                                                                                                                                                                                                                        SHA-512:017A9818F2E294F801179A8A06166539F83EE2C6F7170AD3E3594BC08DF38F95B8EDE0B767AEABB1D9208EA59200586573AC896B22EE6318987339019A7514CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ....................................`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.267139970059605
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:AYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zg:AKC9niwOepJ6TJPeb6NIUFg76Kzg
                                                                                                                                                                                                                                        MD5:9EE2967BB286D1A63BD8E0087A8661BE
                                                                                                                                                                                                                                        SHA1:AF02F80E82D27D1EF55CD9902C2DD43A2E1567BF
                                                                                                                                                                                                                                        SHA-256:E13E0D62F93E846A783D5D719D09AAB06FA4F61A15B660460ED1D08061C25C6A
                                                                                                                                                                                                                                        SHA-512:AE58531F097A10F751FAE04432059C1105F24405AF06E93CB48635F2A102B73DB653B84E85A9824265E68338B03829ED0935AF34FB40265711FA02A081671A46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.160698125720867
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:GUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq4:xBFd3/aFs2d
                                                                                                                                                                                                                                        MD5:82CF1FECB4D590BC03BEFF0336FB8CD0
                                                                                                                                                                                                                                        SHA1:CDE93175B010A14679BC4DAC27E3A9D36F2C7B8B
                                                                                                                                                                                                                                        SHA-256:45653A5E5940E9F8158235F3B5534C5DF47E9E9A5568AE60040A03B3451D03B1
                                                                                                                                                                                                                                        SHA-512:ED713069ECEE9DB6F94355DDA815B9FC7A689E76678476EB0C908388014BC88F4625FF310BB8B65B5F470B236830C5B3650EC5ABA56BE2EF5ACAC3873626F20E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......\....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.511508970225241
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1POw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76J:1Ww0SUUKBM8aOUiiGw7qa9tK/Yb2
                                                                                                                                                                                                                                        MD5:00B3D67D45C71784C7B4D3BB30547E9C
                                                                                                                                                                                                                                        SHA1:60C1D92D6A31AE50C9F780C7B31C9F6B7D15F1C9
                                                                                                                                                                                                                                        SHA-256:2E21AE066913936DC41D3563F355F81327265FAB501B339023E48352E35BF132
                                                                                                                                                                                                                                        SHA-512:1389DC57A1C8D37EFC7377232383D540134FD18A67CEC3F702FD0BAE0EF90E179CD0F3F2F3592EAD227F139AB88DBC06971A63A5C8DB1CE164B04FE744C54BD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................S.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.669890024742661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Sh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBEWr3m:Sy9gpEpYi60AXW
                                                                                                                                                                                                                                        MD5:18130E186CFE1DD3BFEAB111DD0FAE32
                                                                                                                                                                                                                                        SHA1:B519EA32B0B0F1B00B75FBB2AF5D99F91D24BC70
                                                                                                                                                                                                                                        SHA-256:3DF3784F25B3EE4FD24E7B0A0770C0280B09F7CD984E94F622F98E39466E654B
                                                                                                                                                                                                                                        SHA-512:38625510113ED4038C9216DE0B969EA18CEE201C89A2E861D46C149A36F609B16ABF4D89DF57DD783F118C5C7B93520C8D2BCADC961E351A62D88913CD5EF1D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................7.....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19496
                                                                                                                                                                                                                                        Entropy (8bit):6.523111004922817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7yPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFtfV:7Ws6oqDjADKeDa5EpYi60/V
                                                                                                                                                                                                                                        MD5:567881C8D62A69733878564CA833B403
                                                                                                                                                                                                                                        SHA1:41B4994EB6C5896A4244B417A490A58D462B75DC
                                                                                                                                                                                                                                        SHA-256:D1837A1C9BF26CD129F672FC7191239AECEA5936E87A5BE101BB0649C1392EAD
                                                                                                                                                                                                                                        SHA-512:063B0FBB266D0E4EAF52B4B4EE0C327F1CC2FA7963D7024F7905EB6E5206D42983FD875A816983C935B1BA9EF55113A524A36560BC38F5E403BD3FB94EFCAF45
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ..............................Q\....@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41512
                                                                                                                                                                                                                                        Entropy (8bit):6.408844229157189
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZjfAw5tisU7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjBFtNyb8E9VF6IYijx:ZksU74GX7nwOa5VS2ozdBFJEpYi60BZ
                                                                                                                                                                                                                                        MD5:A5C8328575581E4D41D9B41619EC09CC
                                                                                                                                                                                                                                        SHA1:ECF10FE71F38457C2E6C1302150E33F205282318
                                                                                                                                                                                                                                        SHA-256:978A57BAA3D95D3EF26EF8397E92C3F8F3FDC3CDF24D34B67F3BDB5FAB834D05
                                                                                                                                                                                                                                        SHA-512:011C577B1DB257D52D20CEBC1847B7A036453C3CD38968BEED9E558E502C84DBF3592D2C70183A8D7BF6FD60FBD01555A6DADAD44741ABCDC94E5CB83151B067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0..n..........r.... ........@.. .............................. B....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79912
                                                                                                                                                                                                                                        Entropy (8bit):6.0518541609970535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:fK7G/lnhlforkV5/EmaScsU7cywzLFTw76L9:fthlQAV5/PaFsU7cyQFTwa9
                                                                                                                                                                                                                                        MD5:4280F0FBC4E40A71E2E03D18CE1BE1F5
                                                                                                                                                                                                                                        SHA1:80C396D199D31E9E5B8EC85C3F1B2BC206973BEA
                                                                                                                                                                                                                                        SHA-256:99CCAB5EA739DFD2B0ED4DA2832AC75756AE02FF04143C0B1941784AB4CF8BAD
                                                                                                                                                                                                                                        SHA-512:27B584B0FD10F681EE6D8372B4F32FD418593908FF27EC3F681FAE2C3DF3B8A3E3D18B6D40D3935E559280563F8D84E9D4725E73CA421EE9DC2FFC44ACD1546C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i............" ..0.............*$... ...@....... ...............................q....`..................................#..O....@..................((...`...... #..8............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......hY...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.l...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):351272
                                                                                                                                                                                                                                        Entropy (8bit):2.9077205572565528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:lGO21tSb/jb5aEH8VAynnnnnnnnnnnnnnn8XZH:lR5X
                                                                                                                                                                                                                                        MD5:5A59A3D00878BC0F1F678AF81A0439DF
                                                                                                                                                                                                                                        SHA1:0FD59FB8A57A4965F5A28BB7C59E72A0A76761E2
                                                                                                                                                                                                                                        SHA-256:6FC476950C00E8ADC245F58ADF9EE1E2C17DD34F1AA004285148F85CE651BDA6
                                                                                                                                                                                                                                        SHA-512:0512DBA7A45310D40415023DB3BC081E17636B7E3DE06D06EBE841EB0877B302BE67354B825C8F2E50FEDA34458E807D307A58E65BB7DF811CC9A4D2A81F5A5C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0......d........... ........@.. ....................................`.....................................O........a...........4..((........................................................... ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............2..............@..B........................H........*..h&..........(Q..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59944
                                                                                                                                                                                                                                        Entropy (8bit):6.130879435815544
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:f6O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60cB:f6O4JuxnT+UuLMcBClyrvGGa76HB
                                                                                                                                                                                                                                        MD5:59864C477F3C1F03DEAD4ABC720F6E17
                                                                                                                                                                                                                                        SHA1:31187ED10389FB0758491719F1FD49A1DAA9961A
                                                                                                                                                                                                                                        SHA-256:F192BF7246AB25C5E6279CFBDA87EF7F187F43E15102F9FEDBCDD64F22A1914F
                                                                                                                                                                                                                                        SHA-512:621FB602D6CA323B224E726E8ECC294BEC2E57D2B8B693CA622A9A3D988EF8A97D6DFFC98C3C2D1F2A22E218BB7E54F409087C75D456B5B5DBC57298A964F82D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ............`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23080
                                                                                                                                                                                                                                        Entropy (8bit):6.496637771650592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4LOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyqT:4nMTR0Pa25EpYi60q
                                                                                                                                                                                                                                        MD5:BD64C182A6328A0447CEB7B95594CD03
                                                                                                                                                                                                                                        SHA1:7CC8D0CD30F18DB3F6DF653C09ED84E772E154CF
                                                                                                                                                                                                                                        SHA-256:409F42114C6E8C2CA2A0CBEB381BC5FECEE8F874100069062779EAC0E1F026B7
                                                                                                                                                                                                                                        SHA-512:BB02105BB595FF185D0DC46716717209C3A033534FB297B930919AE761D0F2288292E0730CAB41B903347BBEB72B3EE6D0A3B743F3EF12A208654F506409354A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ..............................8J....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817640
                                                                                                                                                                                                                                        Entropy (8bit):6.5513719499124194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:x9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPn:x9Nzm31PMon
                                                                                                                                                                                                                                        MD5:05340978B996457954B18B985C27B353
                                                                                                                                                                                                                                        SHA1:00C6DA1D707F3A892549023DD7E6A9E702ADA7B6
                                                                                                                                                                                                                                        SHA-256:B2C723A9EA911B88BBE1EF2F3B51DBB156E4F525DEA7294EDB24B3D05E31560C
                                                                                                                                                                                                                                        SHA-512:0D9F688708BADE4E6B0B282A3ECED8B9EC2EF9717D0B36DD8214B207C631C75BF902C9FB247AEF6E1496EC48CD63DA4E9D006634A7D1B58ACA6A6FC97010B0B4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................j.....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436200
                                                                                                                                                                                                                                        Entropy (8bit):6.7813386810105865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Vs5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEs3:AlI+vIjE7mjOuKa8Riy+gvhaIn2+0U
                                                                                                                                                                                                                                        MD5:64495CDE32937D4E290475D65956A4C9
                                                                                                                                                                                                                                        SHA1:B51B42D7FB5185928069F22C70C1303037F11D3C
                                                                                                                                                                                                                                        SHA-256:AC66BC7D48BEDE595CD8D60395B622B6971A21809D7AE9828B3B32477E6049D9
                                                                                                                                                                                                                                        SHA-512:CD0C009C898F36D6574CF19F7B64321C8D312A6B62586DAE90B4CFBFB88B963A4BEB0218119225B2B270CCB28318F87E26880BB2A3FFE838A69AF57F6DB096BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):583489
                                                                                                                                                                                                                                        Entropy (8bit):7.99944408666799
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:CLLJGMlifhYeKrN8qSQDqPVK04BwQjtVcUf7DmZMilOugjC6w:GwfhYeKraZQDqPY0E/4Uf7owugjm
                                                                                                                                                                                                                                        MD5:9614D1DA18956DE06747C03068208D66
                                                                                                                                                                                                                                        SHA1:FEA2680DDB9E4CEEA8489A132DF9A1542FEBFE88
                                                                                                                                                                                                                                        SHA-256:DDE9E0CA3FD274902F1A4C22CFEC6870C6C4DBBCCAD17D2189477AB60F769DAB
                                                                                                                                                                                                                                        SHA-512:D8E46A5819E9DCED61471966646DE153BF3480933054C50190D50DE4900685265367B12C9147630F184CE8809786FC010BF6FCD1884035FB4C77CFDE660A8B9D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......q1Y............5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........d.......o.H..:|p^xA......v.g.J..r:.....@..Q..H..^"]....G..... |...o.<?%....#".....3_s....c..JN.j..Vg_.....$...".,=T.=..5.b.U-..5..7"..H.....9462.._.Mb.e....&.cJ.+!:.....7H]p..#..()6~..0...|8..\......~.D..M.R..Y-[.efI...O..3..\.D.O.V."..0....l.....~.zdP.Hh.r.^R.z5 .=b.....%.X....(..E..T].'bk..ir...V...|.M....=...<..e...5... ...V./.....,....{..-.xa..s.}.e.{........y.%.LY^..HnIp.;....+.Gy.. .Z..e2.bxOy.._...L..g.F.{.C.....9......T.^.I.........NK4.a..4...cf<..@.GI..q..L7.]..f.g[.......E|{x...1....E...8..!.u..g..^%....Y.5^..|...H.....&hQ..E..i(:.6.............)A...Q=..).l..bs#5......./..Q.3..8.-......f@WV.d]i".{d[..v.p.l+.WO.]L...x<....rz#.*i......!.-.F*.:\9.%.cI.Y...=..f.\....9?.v,..}<../<c...U..C._o....'. .;..$,.. .Y......z..m.........#t.<..i..s....u...D..}5O..5O......j..O.../.%8.p.5...@....M....[rG...L.o...J2..<rS...[i<....})}....[x.....v^..=.su....Oy@g....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):5.801614737823664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:R4DgbepEIgcvDiMd+R5B153ieGuftxw5dfiGoxkEpYinAMxCN4:Rr4EIgcxdQdGuftxw5dfiZd7Hxe4
                                                                                                                                                                                                                                        MD5:D11B2139D29E79D795054C3866898B7F
                                                                                                                                                                                                                                        SHA1:020581C77ED4BC01C3F3912F304A46C12CA443E6
                                                                                                                                                                                                                                        SHA-256:11CDB5EC172389F93F80D8EFF0B9E5D4A98CFEAB6F2C0E0BC301A6895A747566
                                                                                                                                                                                                                                        SHA-512:DE5DEF2EFCBA83A4B9301DD342391C306CF68D0BB64104839DFC329B343544FD40597A2B9867FD2A8739C63081D74157ACFC9B59C0CB4878B2F5155F582A6F09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..f.........."...0.................. ........@.. ....................... .......M....`.................................h...O.......x...............0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......pR...n...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSjn:WBa
                                                                                                                                                                                                                                        MD5:7E9C5492C1485A2AE94A108F6FFEEA95
                                                                                                                                                                                                                                        SHA1:F00A6A35F3D41AFF9ED2C028C26D918EEF06B715
                                                                                                                                                                                                                                        SHA-256:04CA73099B2058974220319A7CC3E156AE24AFA13B28F340E8D97B021D1BBC95
                                                                                                                                                                                                                                        SHA-512:191B4297645813DD163611547EC2708BD6678E535429FC4D771472BC185C887CAF24FAAA7F1DCF78577739E3D06387A756A11193C68918DDF47D21328CA1E4DC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.179944898759355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:XJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwm:XQUm2H5KTfOLgxFJjE50vksVUfPvCz
                                                                                                                                                                                                                                        MD5:9A344D6A16A6FEF791701FC52FA722A2
                                                                                                                                                                                                                                        SHA1:7F1CEF75650CA626D79F7F15818851A9C297F65E
                                                                                                                                                                                                                                        SHA-256:80890B7E8F3CC557A87BB1F84C7C30CA9B08B3F8AA68184D99439305EF91388E
                                                                                                                                                                                                                                        SHA-512:93ED10309A2EA138FE31BE55F82627290DDA0F8B7AEA63A54D97BB6EF2985BCC0449FCCC288DEF154D9F3318FB4DA9CAC3FBB4727986997DD1CDD5C97541139E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186416
                                                                                                                                                                                                                                        Entropy (8bit):5.934478472448458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFes:0+c7b1W4R6joxfQ8p
                                                                                                                                                                                                                                        MD5:A68241D6E026F218B259FD2CE8F744C0
                                                                                                                                                                                                                                        SHA1:DEA3F011BBC728DB750A054CCF3C5FDFE583EB91
                                                                                                                                                                                                                                        SHA-256:B0F5B75176B338F03AF4BB287259F36167D86C7A6EF128FE021B7401854F2362
                                                                                                                                                                                                                                        SHA-512:1CBFA69C0F75ADAC4C61A84A803201E1897B2A24E50570C44048C6DDAB57A03A1DEBEE04671A8F1FE83745ECD8A91447A4E4E10611811A8B136B3B2016EAD119
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ...............................P....@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331824
                                                                                                                                                                                                                                        Entropy (8bit):6.168966743027853
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTe:KDMUWITZznu85k8Wdn8KmCjIFi3VvC
                                                                                                                                                                                                                                        MD5:DE6B588BD13AFFC760EE32D105C77A21
                                                                                                                                                                                                                                        SHA1:F9D20F683938F0347F0C2782D0E05FCFA143CEE1
                                                                                                                                                                                                                                        SHA-256:07762DCF4082B9A14BEC37573058015F03D26B46B9A6B7B0C0E66402CBE256F1
                                                                                                                                                                                                                                        SHA-512:6D0947E89ED1BF942C6BB93309BDD45B83FD92A3B8D0C4E3265A581DB9318B88187BDE5A58CFB5EE3A7BFE48167D4438B85D9FF03283C73A97B1C6022FE7CBCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...........@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.9607419702126485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:cBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUZ:cBjk38WuBcAbwoA/BkjSHXP36RMGw
                                                                                                                                                                                                                                        MD5:C2EBB296A9B097C4BC36018341C2F514
                                                                                                                                                                                                                                        SHA1:55B79CCD4F93AC6EF3AE6E2AD858DE5F23516EC9
                                                                                                                                                                                                                                        SHA-256:3CFB2C5E1947565F0795FCF5C0587B8F021842D52E79A40F25070BCABCE48089
                                                                                                                                                                                                                                        SHA-512:BF95FA3B93A25E040D3521BF8436BBA505D09F659360C0606F259607083D9C4F1366683CFE0215D4F13CE875E753B12F1DE058A3D0CBB84C3948644D0E7BDEEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../t....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55856
                                                                                                                                                                                                                                        Entropy (8bit):6.2394409505734165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:rREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLa:rR8+5k15z0WBZEtgwJq7Hx3u
                                                                                                                                                                                                                                        MD5:89D62604A1CA22A2F8FFD987B543D38E
                                                                                                                                                                                                                                        SHA1:64D7D345821AA76971BB9EF71CE731CCD9BFAC32
                                                                                                                                                                                                                                        SHA-256:80D4A38A5C0F117AFC7FC74A3F2DA39259BDD980BBA85687FF2019C8262E171D
                                                                                                                                                                                                                                        SHA-512:1173C7AFE2719EF324342A6D3EA459319533843CFE8A04CDC63FCF3D8A2D6DC4BB537FC1A4DBA63F585EB11F3E16FB2F17C53BC64BC7318A52B44266A3A9A56E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... .......e....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):258
                                                                                                                                                                                                                                        Entropy (8bit):5.169797064709875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:A112GT89w3pKFSQojKAiwgT1cyZdDnhUFxUgDX:NK7MSQo2/T11eFisX
                                                                                                                                                                                                                                        MD5:F14241A2267BED28DCC6A65B8EA352C9
                                                                                                                                                                                                                                        SHA1:A3EB6574B90ED5E59AF44C95C136FDC0E3BB384F
                                                                                                                                                                                                                                        SHA-256:84398BC64EF14589FCB4946A93B8A909E47FE55E7D94BA8D432F971070DED29F
                                                                                                                                                                                                                                        SHA-512:5F8461CFEDA6001802AC9A0DF16F99163A0FA89952A653088A8342CC29991E64F8B7BE5854C834AF74810BD08DF8278B6D2502157B3182E6EDDAA0FF89A17A40
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=marisol.condimentos@hotmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000ND5FxIAL /AgentId=a6dedb0f-2022-4aea-abf1-f34b9f20892e.08/11/2024 07:50:42 Trace Starting..08/11/2024 07:51:02 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):157873
                                                                                                                                                                                                                                        Entropy (8bit):4.753497932507659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZHXt/BWDLm8arfT4h6+2j+S64ioX+g15titNI6cSM:gDLmtrfT4hj2ju0X9wGSM
                                                                                                                                                                                                                                        MD5:AB3D7C0401590BBDAF4B3C84592D24D6
                                                                                                                                                                                                                                        SHA1:756F86B49CA2035638F77BBEB60CFE6A827B553E
                                                                                                                                                                                                                                        SHA-256:4428A8B3F1A63312918FF5F8E1D5EE1F6EEBA9D73A336721338D494D2B6E5F6C
                                                                                                                                                                                                                                        SHA-512:24AAC8D02347EF3E226531CA15B71714CB53546C7AA1B4D961A72E097C3528AE2590B00ECBAA7E80815E99FAFB6919D234E957DFCD08467CD753B24C004B6124
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<pre>Acknowledgments....This Splashtop software incorporates materials from third parties, the use of which is hereby acknowledged.....================================================================....AES....Copyright (c) 1998-2010, Brian Gladman, Worcester, UK. All rights reserved.....The redistribution and use of this software (with or without changes)..is allowed without the payment of fees or royalties provided that:.... source code distributions include the above copyright notice, this.. list of conditions and the following disclaimer;.... binary distributions include the above copyright notice, this list.. of conditions and the following disclaimer in their documentation.....This software is provided 'as is' with no explicit or implied warranties..in respect of its operation, including, but not limited to, correctness..and fitness for purpose.....================================================================....CELT....Copyright 2001-2009 Jean-Marc Valin, Timothy B. Terri

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):310280
                                                                                                                                                                                                                                        Entropy (8bit):6.406682858396138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:B2ewUPD+fCEWepqJ1u45FC9xrIaPXiyVfl/7RohyyP16+Dfj8d3:NRPD+KLepIu4qnrIBy/7RoPfO
                                                                                                                                                                                                                                        MD5:FB1A6F0CB84ACB237FF0E42E5CF876A6
                                                                                                                                                                                                                                        SHA1:6CDEBFA5ABBF7BA48179DFF13A1343F3C4D9348F
                                                                                                                                                                                                                                        SHA-256:DA5E12D077875B4F93210B10689F28B6EF33480E3BD2362E80F11EDFF8C9966D
                                                                                                                                                                                                                                        SHA-512:2602908AB2FAF07C1957DAD00960F6432D08BDD7327DB96D1338C87B1E18CB025B381378BA4BC800F558D26D76922E5882481A99B17575D3D48208C289EE3B8D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........PC..C..C......H.............Q....R....I...........F..C../..W...B..W.[.B..C.3.B..W...B..RichC..........................PE..d.....0e.........."....$............H..........@.....................................u....`..................................................F..<.......H.......H'.......(..........@...p...............................@............................................text............................... ..`.rdata...@.......B..................@..@.data....+...`.......F..............@....pdata..H'.......(...Z..............@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):249864
                                                                                                                                                                                                                                        Entropy (8bit):6.627715385431378
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:gbNEPN9Db8oxccZd8lZOWb1yBGAOnpe6nbXcw:gc/8oxc5yBGVpJbXcw
                                                                                                                                                                                                                                        MD5:151AAE6C0F0E40AB4138AF953768AB37
                                                                                                                                                                                                                                        SHA1:18F55A0707EE7140776D7857D0AF56D471289960
                                                                                                                                                                                                                                        SHA-256:F253CE8A8C4CDC4FD7A93A04515B208D461FF6E4076F64431E7EC7E9E5E08923
                                                                                                                                                                                                                                        SHA-512:40FFF8741C8AFB0EF2E6F8F69755F8A2E1F6422943341BBE680EEEFE939731F39E59D1C608B7C23AA649C3F2D93E6104E6B420A755F551F555504E1028B91C68
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.B.>},.>},.>},.../.3},...)..},...(.(},...(./},.../.+},...).q},...-.;},.>}-.]},.*.%.?},.*..?},.>}..?},.*...?},.Rich>},.........................PE..L...+.0e...............$.....2....................@.......................................@................................. p..<.......H................(....... ...H..p........................... H..@...............h............................text............................... ..`.rdata..J...........................@..@.data...p............n..............@....rsrc...H...........................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40160
                                                                                                                                                                                                                                        Entropy (8bit):6.316240044981803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3z+6yz3JqnYCblcp6wOmMQC4cT3AZ21w6LuOBjEwXxyvJ3GB1C2GCTaZum8e:3ByY12kwOm8s2diSXCIB1yC2HT
                                                                                                                                                                                                                                        MD5:1033D6EFB14B7C8308A261E7151A8FDD
                                                                                                                                                                                                                                        SHA1:C331C67E93DA33EAAAAA0A4033855F185A79DE99
                                                                                                                                                                                                                                        SHA-256:6A14EFEE1EAD8592B0E5199DB4E7256462F135D6DC10A803D98D03CFC4F1E678
                                                                                                                                                                                                                                        SHA-512:083C365FD00BDED1637CBA2DDCE2FC3D93A8C60122F01CCD675A13EFF4C7663EE0FCE1B3316755FC971B3A3E6D242E29236180508D03C803950E2159B374767B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wU.............f.......f...............f.......f.......f.......f.......f.......f......Rich............................PE..d...7.#R.........."......`..........t..........................................................................................................(.......P....`..x...............4....B...............................................@...............................text....".......$.................. ..h.rdata.......@.......(..............@..H.data... ....P.......4..............@....pdata..x....`.......8..............@..HPAGE....f0...p...2...<.............. ..`INIT.................n.............. ....rsrc...P............x..............@..B.reloc...............~..............@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):224
                                                                                                                                                                                                                                        Entropy (8bit):4.68750285687923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dCiI4FDIIlfILQIIbdELV0Lr+FDIIGKhaL3C:kidCiRxt2QjdRCxeKcL3C
                                                                                                                                                                                                                                        MD5:EBC2A6216B737E813732ECA1BB1F2AF2
                                                                                                                                                                                                                                        SHA1:6E63AB58C2055A3F276C1CD36FA406E37C099099
                                                                                                                                                                                                                                        SHA-256:275C9771ED3AC2ABE0989A114804ADD0CCED09F8A1BFF1633C4F79929921713B
                                                                                                                                                                                                                                        SHA-512:248CD17E4836B429DF0923E8C04FD3F8ECAB7CC8BFF6761F06AAED420111FF5DBADCC974193701DEBF63655CD79E8E0D0B6C7599760B13ABA19B5C0E178BF7EC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log..utils\devcon.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum.exe -p 1000 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):232
                                                                                                                                                                                                                                        Entropy (8bit):4.776744518403625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dRLPI4FDIIlBILQIIbdRL6V0Lr+FDIItGKhaL3C:kiddRxr2QjdHCxwKcL3C
                                                                                                                                                                                                                                        MD5:4AD78E888894B3F89711D75D526E2D9A
                                                                                                                                                                                                                                        SHA1:A01DD7B5F20052AB27B721127DAB01A34666D4D9
                                                                                                                                                                                                                                        SHA-256:8B82E0E205711B8A22939AB86BF955DB938D2A733F57E48404DD118B5DDB9AE5
                                                                                                                                                                                                                                        SHA-512:CD6C972070593A6FE09778BC043C84CABE61E96FC3EA1B529D993540678AE0E99A641BFFAB87B3AE954977F0C0A9C639185889421225C185615C4EC34A8699F3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log..utils\devcon64.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum64.exe -p 1000 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8955
                                                                                                                                                                                                                                        Entropy (8bit):7.156854915296666
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3F37o7MECwCNnYe+PjPGr9ZCApkT1rrZgjlerpLF+vc1rbrRnJ4aTT:3NEuwCNnYPL/p1P6jeL3JrRiaT
                                                                                                                                                                                                                                        MD5:214E5DB2F6D3FF72B6E4F3BACCD7ECB0
                                                                                                                                                                                                                                        SHA1:64CC6A8F3E79BFA0301924D4A18370CFDD8ED955
                                                                                                                                                                                                                                        SHA-256:C23C1C358705DCE49FD6D1BEB1B0482F74DFCE35FEE7AE4D0C79390385FD22F9
                                                                                                                                                                                                                                        SHA-512:E31E2455A7014937F3E9ECA05D192320CF6159CED333888C6612BE36453F72D76F1015FC1306D41F41CD5F4CB206028ECD99C0F28505D29B6E9E0F497D231D17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0."...*.H........".0."....1.0...+......0.....+.....7.....{0..w0...+.....7........'PP.M.B.....v..130902014741Z0...+.....7.....0..e0....RA.6.6.8.6.5.4.3.B.1.2.3.6.6.1.8.8.6.3.A.1.F.A.6.3.F.A.2.B.1.4.F.A.8.A.E.5.4.F.A...1..k0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........heC.#f..:..?..O..T.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.C.2.3.0.0.C.3.E.9.D.5.2.9.0.A.2.A.4.0.6.2.7.3.A.0.F.8.3.5.8.1.D.3.7.F.F.0.1.8...1..s0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1598
                                                                                                                                                                                                                                        Entropy (8bit):5.348428467214068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:BoJAo10StKRqv8rI3OB/7wBZBZhvC3R7YxGcSF+125dLH/kvGPGo:BoJbkEvReNErZZcQ125CvQR
                                                                                                                                                                                                                                        MD5:5AE5F4B07FABDB969DDA6425E54C4DDD
                                                                                                                                                                                                                                        SHA1:A6686543B1236618863A1FA63FA2B14FA8AE54FA
                                                                                                                                                                                                                                        SHA-256:489CFA94B8FAEA97E0CF73714A65890418247BF34023DC4FDEBB03EF233B12F9
                                                                                                                                                                                                                                        SHA-512:C8751CF986E7A2800924D9707FB40AA95F5EE2431E16D5EEDC583FEA1F5351C95BF3FD90AC0EBD81AFC7262FBFA6C452BF1CA1B908E7360515970F146D0D6E50
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature="$CHICAGO$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%splashtop%..DriverVer=05/21/2013,1.0.0.0..CatalogFile=stgamepad.cat....[SourceDisksFiles]..stgamepad.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..DefaultDestDir = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....[Vendor.NTx86]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[StGamepad_Install.NT]..CopyFiles = StGamepad_Install.NT.Copy....[StGamepad_Install.NT.hw]..AddReg = StGamepad_Device_AddReg....[StGamepad_Install.NT.Copy]..stgamepad.sys....[StGamepad_Device_AddReg]....[StGamepad_Install.NT.Service

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33504
                                                                                                                                                                                                                                        Entropy (8bit):6.4990196288743425
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Uwyk2eCK3PRiZ1bcvrlEeT0OEM859sKkgTvEakiX5vFmXhBcfoaM8l1l3nzWPDP8:UupCJeT5EgKkgTMa3VFMmAalaPzumy
                                                                                                                                                                                                                                        MD5:4C3233F0B9A5BC7B58B464C9E1E86D52
                                                                                                                                                                                                                                        SHA1:FCCE254ED5DF8DE6D21623A6E53FA2AEEE030365
                                                                                                                                                                                                                                        SHA-256:832328B8DD98D51A9CE29C3953E85AFB036964299B93B9FB929023F15C63AD9A
                                                                                                                                                                                                                                        SHA-512:884A22B0CE16B91B1A04D6B5E99678CC584484FF5BE3D92ADDB27F0E9D58BFF57A9716C843789F9BD59EC79A55EF342DFD2A0EF39C6E7776CD4FC0211EE8DFCF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i.....i...h...i.......i.....i.......i.......i.Rich..i.........................PE..L...5.#R.................N..................0.......................................;..........................................<.......P............f.............. 1...............................................0...............................text...(........................... ..h.rdata..V....0......."..............@..H.data...4....@.......*..............@...PAGE.....%...P...&...,.............. ..`INIT....8............R.............. ....rsrc...P............\..............@..B.reloc...............b..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154
                                                                                                                                                                                                                                        Entropy (8bit):4.715757968072225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jTDVBF+jVy9kCCWo7EIbd/KiIKTAxsHs2yo7EIl2YILzDoC:/AjsC3IIbdCiI4FDIIlfILQC
                                                                                                                                                                                                                                        MD5:5D33C035F7B22B463DBD01BC0D31C9E9
                                                                                                                                                                                                                                        SHA1:5345461EF02D330178F047FFBD40C5F4B142A416
                                                                                                                                                                                                                                        SHA-256:45C7D88A3D4643220137D23DBE0EB5CE45DFB6AD16EDC1D6EE4CA8FD1C41AF49
                                                                                                                                                                                                                                        SHA-512:88E339E01417D6EFAA8271E6F3A9D077711508A3EE4D0CF3A95E6607C0282D201633113EACB8A142189F54476AD7B501EAEEA5AC2D9297A06B1A7A55D73B8940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\enum.exe -u 0 >> inst.log..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160
                                                                                                                                                                                                                                        Entropy (8bit):4.807126999960993
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jTDVBF+jVy9dJFtCWo7EIbdRLX/IKTAxsHs2yo7EIl3xILzDoC:/AjsZW3IIbdRLPI4FDIIlBILQC
                                                                                                                                                                                                                                        MD5:D0E7FCE8A8281FC10CB9548299254079
                                                                                                                                                                                                                                        SHA1:112A4EA65D2CC4A1C57EB6967AC058C8EDE341DE
                                                                                                                                                                                                                                        SHA-256:11F757D09B095A89D52A990149379618551D88E92E1C9BEEFED243A083487260
                                                                                                                                                                                                                                        SHA-512:8132F0DFE0071D3CA3CC5D4CD6ED2634E61314BF6BB84AF5B5F97261E3E26601F1C6AA5C8ABBDA596639CAF4C0E2AFC3A2DE46BB92C199894DD5CFC2DF519CFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\enum64.exe -u 0 >> inst.log..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.289815206775557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Qexcism3zhYFH1u0BFhdzQV3TdfPq12pru6JEkb8oHA1Ib/meUmV:QeKduuf1+DEgprhh82Tirm
                                                                                                                                                                                                                                        MD5:5F1E3F3B071AB0D51AB45060D156AF17
                                                                                                                                                                                                                                        SHA1:2FFCC9CC689C7C3DA18DF015C4BCC880F185C800
                                                                                                                                                                                                                                        SHA-256:B628E895BFC38227DB258DB91959C6D55367877669944DA022A89469101D8BCF
                                                                                                                                                                                                                                        SHA-512:3EAAB54CD58350BADBE0F32B78BA7EA8EA50072AA159A3A36AD730116247D225C164CFCAFFE920C34D9287E55E68D933A92D4F7E7D3CEF9E8E3F185DAB629BC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.9...W...W...W.......W.......W.......W......W...V.O.W.....].W.?{)...W.......W.......W.Rich..W.........PE..L...5.#R............................p........0....@..........................`......F.....@...... ..........................,%..P....@..8....................P..........................................@............................................text............................... ..`.data........0......................@....rsrc...8....@......."..............@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):4.886509604340361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:reQH6MzhfmNHuhv9LIFJxGNIiTwnPXIXBY+CzASxvh1b7sAmIb/IeUmV:rezev9cGNIiTGOY9Dxvh1xUrm
                                                                                                                                                                                                                                        MD5:815848A1B7AA76DE38315A7C796165DE
                                                                                                                                                                                                                                        SHA1:131016320240F5760853BB0AE8ED34CE8865C4B5
                                                                                                                                                                                                                                        SHA-256:99FF169E6114BA53DDC6BFCDB08CF73CB1104E69EEDC2A13F39605A96CAA5367
                                                                                                                                                                                                                                        SHA-512:3A9453528FC5335AFF02717EE7271EBE253CF986FE71B7CE4BE4B060BE7EF625EA33877F98B2DEA54432A2F7625314A5B3DCF57518209E818EC03589257E69F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Kf................U.......C.0.....D.......S.....y...........n...y.........I.....(.........T.......Q.....Rich............PE..d...7.#R..........".................H.........@..............................p......|.....@.......... ......................................`$..P....P..8....@...............`..........................................................X............................text............................... ..`.data........0......................@....pdata.......@.......$..............@..@.rsrc...8....P.......&..............@..@.reloc..h....`.......,..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1416
                                                                                                                                                                                                                                        Entropy (8bit):5.221234341229966
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:VrY6t5UbhKRvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLk32pNaf1E:5Y6qhKT2mvsIeZvEuarJKhpXo1moJmiI
                                                                                                                                                                                                                                        MD5:BECB66962164A387453E351769E665A4
                                                                                                                                                                                                                                        SHA1:D5651F9CE02E1D48E85A33DCAFB906F3DC575365
                                                                                                                                                                                                                                        SHA-256:294AE63315DCFCBA4F8BB30BC4098E6BF39281244BC215FE9EB8EA3B778CEC48
                                                                                                                                                                                                                                        SHA-512:03523212E1827635EB2573ABE2B1A3D66BA529990917B739AF6B2C6727223D2E99E4A353B21F2871FFBCA44D22623409EA1451CF0A0ADBED9C0E8DBB6E55C6CF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1414
                                                                                                                                                                                                                                        Entropy (8bit):5.220204645552163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:VrY6t5UbhKdvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLkQ2pNaf1E:5Y6qhK32mvsIeZvEuarJKhpXo1moJmiX
                                                                                                                                                                                                                                        MD5:B80450985E33B188398EF5475FE3A4BA
                                                                                                                                                                                                                                        SHA1:6699FE7C174A9A585E3559A16877B5555687F6F0
                                                                                                                                                                                                                                        SHA-256:760BC44295820C5AF7E2D5077CE05EED8E23B3EF344D5C6C48422818DDE78D41
                                                                                                                                                                                                                                        SHA-512:BA29A71114A86E10ACE80F5B039DB68F4FE3BFD5592ECC6511D9AA0235E75ACFA188909EE0453593EBEFDB33DB46D1272C98A44350ABB24810C52FDEE817853F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):805
                                                                                                                                                                                                                                        Entropy (8bit):5.339948574341861
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:V8pgfeV4BZAK/1AN6gizSnOf6DE6Z9wmhKRvVLymhMm0KuKDLGuKw61IfQHyoHHO:VSIBBY6t5UbhKRvV7e6LpIJHT5C
                                                                                                                                                                                                                                        MD5:704D1CC8E0B87710278CE3EFD1C17954
                                                                                                                                                                                                                                        SHA1:EDF2D7FED5D3D88A657732B37C72E4CDEE90D12D
                                                                                                                                                                                                                                        SHA-256:FAB1408C7DE4B76FA3AF7AD4C9F25DF2063C591CDFC46445999D31B4DB712208
                                                                                                                                                                                                                                        SHA-512:6061B9BB1A4D55FD916A44C8619356DC4ED40C284F91FC2114CD5974533F762F88B4E0C49A265E96AD1E122ACFBA947D02AA3B11E43115D247FA0868661BDC3B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):817
                                                                                                                                                                                                                                        Entropy (8bit):5.35613829912293
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:V8pgMyeV4BZAK/1AN6gizSnOf6DE6Z9wmhKdWiVLymhMm0KuKDLGuKw61IfQHyoO:VS3sBBY6t5UbhKdvV7e6LpIJHT5C
                                                                                                                                                                                                                                        MD5:319DCF0B017DAFA51C33A7489D123F91
                                                                                                                                                                                                                                        SHA1:60F8E32A2E7E05F2384D8B66E51F8FF1DE70AC10
                                                                                                                                                                                                                                        SHA-256:44A271D1DD10FFC85815DF277E708BE462CC5AFABC43BD0D7A9505E35A70E488
                                                                                                                                                                                                                                        SHA-512:EE6403E7069C1185F6F34A02DA2DE1FEC2F859E89523B769CF9EFDCAA2CD9E5AFA501ADC38169A86D86DA1570C789116A29C2485F87201CFD2A770EC447A55C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):85216
                                                                                                                                                                                                                                        Entropy (8bit):5.323561566613011
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:34rhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkApiKB:K+KY04RMmSCYmBiF4O7WTgKB
                                                                                                                                                                                                                                        MD5:CD483270630CCABBD1902C6B21FBE9D3
                                                                                                                                                                                                                                        SHA1:B33C3139DD83F108591383449D4F9136189D8F97
                                                                                                                                                                                                                                        SHA-256:49D6B913A4095A3E7B14554C91942BD5CDDDF9DCFDB076B31921592AFF1BC135
                                                                                                                                                                                                                                        SHA-512:DC92ED176DBB7CC27BE1FFF90F875B2582869465156BD70F363902524C716822FB9657AA944A6F02CB1E77271F3D24F8667F4A678F5BB5B5846AB18E455A731F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......F.....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):89312
                                                                                                                                                                                                                                        Entropy (8bit):5.29323585141242
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:UP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WsK6:UePOYe4bu1epDh8RWsK6
                                                                                                                                                                                                                                        MD5:07361279885BC0B334DDF5754CDB12FE
                                                                                                                                                                                                                                        SHA1:63A7320CD6992E2509EB1D82D550B1AA5FEA6A47
                                                                                                                                                                                                                                        SHA-256:96411A783BAA574421659E73B11F111A0EEB3D9B105CA55E29FE6C0B820646F7
                                                                                                                                                                                                                                        SHA-512:D07F5DFFEAD4470CAA935F6CD250DF9CA77A2D28C0B84112D83CE9ED7AC7A01CB012773FB290612E4DE45776BB919C395533AD3AD5497A3469BFE5B43FB5D1E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......Mz....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10957
                                                                                                                                                                                                                                        Entropy (8bit):7.22853921730831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0gNqq6a1DUuvE7EwWZhYC/nnbXfH098uXqnajH/svHa:0gEy9Zh3/njXuXlTsPa
                                                                                                                                                                                                                                        MD5:62458E58313475C9A3642A392363E359
                                                                                                                                                                                                                                        SHA1:E63A3866F20E8C057933BA75D940E5FD2BF62BC6
                                                                                                                                                                                                                                        SHA-256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
                                                                                                                                                                                                                                        SHA-512:49FB8CA58AECF97A6AB6B97DE7D367ACCB7C5BE76FBCD324AF4CE75EFE96642E8C488F273C0363250F7A5BCEA7F7055242D28FD4B1F130B68A1A5D9A078E7FAD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.*...*.H........*.0.*....1.0...`.H.e......0..=..+.....7......0..*0...+.....7......?~..S.N.j....J...181204081131Z0...+.....7.....0...0......e.Q.82....jG.8....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0.... _...U...woq..2..:.V.kx........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... _...U...woq..2..:.V.kx........0.... `...m..d..E.f|.R.o../.ziR&7.._..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... `...m..d..E.f|.R.o../.ziR&7.._..0....d}...))...3e...u...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4514
                                                                                                                                                                                                                                        Entropy (8bit):3.7887986776100973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:9G2XN/WAXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9L5EDNRniWI6fyw5I
                                                                                                                                                                                                                                        MD5:1CEC22CA85E1B5A8615774FCA59A420B
                                                                                                                                                                                                                                        SHA1:049A651751EF38321A1088AF6A47C4380F9293FC
                                                                                                                                                                                                                                        SHA-256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
                                                                                                                                                                                                                                        SHA-512:0F24FE3914AEF080A0D109DF6CFAC548A880947FB85E7490F0D8FA174A606730B29DC8D2AE10525DBA4D1CA05AC9B190E4704629B86AC96867188DF4CA3168BB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.2./.0.4./.2.0.1.8.,.1...0...2.0.1.8...1.2.0.4.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12585
                                                                                                                                                                                                                                        Entropy (8bit):7.124479508046628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:M9yLPtUtkB7uIqhmbgE7EwWZhYCyZR/HsgKqnajVhY2c8evGd:gZO49Zh3e1MgKlxW2c8eed
                                                                                                                                                                                                                                        MD5:8E16D54F986DBE98812FD5EC04D434E8
                                                                                                                                                                                                                                        SHA1:8BF49FA8E12F801559CC2869365F0B184D7F93FE
                                                                                                                                                                                                                                        SHA-256:7C772FB24326E90D6E9C60A08495F32F7D5DEF1C52037D78CBD0436AD70549CD
                                                                                                                                                                                                                                        SHA-512:E1DA797044663AD6362641189FA78116CC4B8E611F9D33C89D6C562F981D5913920ACB12A4F7EF6C1871490563470E583910045378BDA5C7A13DB25F987E9029
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.1%..*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....tW...d#O...L<":4..181204083207Z0...+.....7.....0...0....!,..8.'T......\.b.\s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0....;~.Y&h.L..@.ds. .A..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... \...s .p.mI^1:.M5KEO4..?l......0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0H..+.....7...1:08...F.i.l.e.......&l.c.i._.p.r.o.x.y.u.m.d.3.2...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2715
                                                                                                                                                                                                                                        Entropy (8bit):5.41680725095282
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:qnchtOKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pkua1YuSnEhn/A7ic4d4y
                                                                                                                                                                                                                                        MD5:0315A579F5AFE989154CB7C6A6376B05
                                                                                                                                                                                                                                        SHA1:E352FF670358CF71E0194918DFE47981E9CCBB88
                                                                                                                                                                                                                                        SHA-256:D10FA136D6AE9A15216202E4DD9F787B3A148213569E438DA3BF82B618D8001D
                                                                                                                                                                                                                                        SHA-512:C7CE8278BC5EE8F8B4738EF8BB2C0A96398B40DC65EEA1C28688E772AE0F873624311146F4F4EC8971C91DF57983D2D8CDBEC1FE98EAA7F9D15A2C159D80E0AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=12/04/2018,1.0.2018.1204..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53752
                                                                                                                                                                                                                                        Entropy (8bit):6.555505359489877
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:q4+LP4B5MAHFQq4OSGtGkVPKLIy0uwc0yeuUjsVbGVjp3haxZ3vOoKn:q4+LS5XYOSk1Kky0uww6s5mN3haxZI
                                                                                                                                                                                                                                        MD5:01E8BC64139D6B74467330B11331858D
                                                                                                                                                                                                                                        SHA1:B6421A1D92A791B4D4548AB84F7140F4FC4EB829
                                                                                                                                                                                                                                        SHA-256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
                                                                                                                                                                                                                                        SHA-512:4099E8038D65D95D3F00FD32EBA012F55AE16D0DA3828E5D689EF32E20352FDFCC278CD6F78536DC7F28FB97D07185E654FE6EEE610822EA8D9E9D5AF696DFF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....%.\.........." .....X...@......@T....................................................`.........................................P...P................................?.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184016
                                                                                                                                                                                                                                        Entropy (8bit):6.2322376663017
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uSNRRE5JX6GkYj9i/hXJTqHDh3ibNrg4WhC8MFMbgGYgITUP4uvo4B:uS6Pb5KnT2dSNsC+gGx62v/
                                                                                                                                                                                                                                        MD5:4DC11547A5FC28CA8F6965FA21573481
                                                                                                                                                                                                                                        SHA1:D531B0D8D2F8D49D81A4C17FBAF3BC294845362C
                                                                                                                                                                                                                                        SHA-256:E9DB5CD21C8D709A47FC0CFB2C6CA3BB76A3ED8218BED5DC37948B3F9C7BD99D
                                                                                                                                                                                                                                        SHA-512:BD0F0A3BBC598480A9B678AA1B35728B2380BF57B195B0249936D0EAAA014F219031A563F486871099BF1C78CCC758F6B25B97CFC5296A73FC60B6CAFF9877F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....%.\.........." .....r...*............................................................`.........................................`M.......M..<................(.......@...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138960
                                                                                                                                                                                                                                        Entropy (8bit):6.622950914796068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Pi+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYqN:6+9cu1oF/AnqqN
                                                                                                                                                                                                                                        MD5:67AE7B2C36C9C70086B9D41B4515B0A8
                                                                                                                                                                                                                                        SHA1:BA735D6A338C8FDFA61C98F328B97BF3E8E48B8B
                                                                                                                                                                                                                                        SHA-256:79876F242B79269FE0FE3516F2BDB0A1922C86D820CE1DD98500B385511DAC69
                                                                                                                                                                                                                                        SHA-512:4D8320440F3472EE0E9BD489DA749A738370970DE07B0920B535642723C92DE848F4B3D7F898689C817145CE7B08F65128ABE91D816827AEB7E5E193D7027078
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......4....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):122576
                                                                                                                                                                                                                                        Entropy (8bit):6.535740565012407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:dfSVevFp3FKtVy8ka9N9UOUNFZWEw+1M4hyFi:BSYNpkUOUrgxeMlo
                                                                                                                                                                                                                                        MD5:B9B0E9B4D93B18B99ECE31A819D71D00
                                                                                                                                                                                                                                        SHA1:2BE1AD570F3CCB2E6F2E2B16D1E0002CA4EC8D9E
                                                                                                                                                                                                                                        SHA-256:0F1C64C0FA08FE45BEAC15DC675D3B956525B8F198E92E0CCAC21D2A70CE42CF
                                                                                                                                                                                                                                        SHA-512:465E389806F3B87A544AB8B0B7B49864FEEBA2EEEF4FB51628D40175573ED1BA00B26D6A2ABEBC74C31369194206ED31D32C68471DDDCF817FDD2D26E3DA7A53
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....%.\.........."......N...N......,..........@................................................................................................(............@...........@......L.......8............................................................................text............................... ..h.rdata..l,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23528
                                                                                                                                                                                                                                        Entropy (8bit):6.370136009210867
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6kV9C2/s2Abnkr+YcSIVO67k5hVAi59RKzOqUIUz8JN77hhM/l:vP0bE+YHIO67kLZVj83ha/l
                                                                                                                                                                                                                                        MD5:D53AD812F1146CDDEA6A89806CC2439A
                                                                                                                                                                                                                                        SHA1:5102973DF29B7E70AD8845D3B5FA36DBEF294D56
                                                                                                                                                                                                                                        SHA-256:009DFAD5DEA03EA0C0B963EEA9CDCDB78668C8B35C19E2B92311D8703F00D6D2
                                                                                                                                                                                                                                        SHA-512:38C2BFF7125F5BFD51A5D4D49D3C68BBCF9065057686AF8CAF7C3025BAE27CDFF4928BFB37C26A6ABAA750C699B99619E874CDD5EEF79F0E4010BB9ACCE56085
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....%.\.........." .....6...........1...............................................Q....@.........................................pC.......;...............`.......@.......p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48640
                                                                                                                                                                                                                                        Entropy (8bit):6.8164297445194135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xbWmecDs6zvVt94VbJqvhkqskgSjySwigs2K5m6Vj83h57zZ3ao:xbM6JX0Jq5kNGUsn5maI3h57zZ
                                                                                                                                                                                                                                        MD5:6A0CCBFF305B23A4BAE471025EC28D52
                                                                                                                                                                                                                                        SHA1:02519EC7FCC88969621B6DC7F1294DA4EA6EA611
                                                                                                                                                                                                                                        SHA-256:6659E90D80A2FA0CF9F6CE40E511D8763664E78820F27081935AC1BFD4723A19
                                                                                                                                                                                                                                        SHA-512:4D357E3E9B19E2C18D1D3A1E6916C542243D6FF24D783A526B9E1C1605C328CD079A77AEE38DFF19BEC66E584CFDB4DF910CF98DF668D1EB2E825E2D36F816F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....%.\...........!.....N...2.......E.......`......................................}.....@..........................p..T....q.......................~...@..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138984
                                                                                                                                                                                                                                        Entropy (8bit):6.623789818078503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:0i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jY3v:7+9cu1oF/Anq3v
                                                                                                                                                                                                                                        MD5:4276EDDE541ED3F488FA26778BDBB0D9
                                                                                                                                                                                                                                        SHA1:16E06CA60A9F8BCA515D193DFD28B120446BC178
                                                                                                                                                                                                                                        SHA-256:617F731B8F55F1AC23E47FE3C7CFD1110F198A5A9EB207FC485F739808446808
                                                                                                                                                                                                                                        SHA-512:280D6C3A85B26B4EE57534D33F035063B1DD56BA3671B48700833E4A61BEF1805C86316888AA5D8645603CA655F4172311B20C98533058823734C276A3CEA66B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......|....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138960
                                                                                                                                                                                                                                        Entropy (8bit):6.623166316895491
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYWB:S+9cu1oF/AnqWB
                                                                                                                                                                                                                                        MD5:7CC448724952FA3B42A7B16DCBD4B50B
                                                                                                                                                                                                                                        SHA1:65CC211E57AE073EA89B188B66D3D473B403DEF5
                                                                                                                                                                                                                                        SHA-256:D90F351153CA9A51ECC24575B6A586A9A01AF24BD84F552F8305201260EE486A
                                                                                                                                                                                                                                        SHA-512:1C8F6034B4BA71C5D4508263DEDB00098C583F7EA4F39AE281E680C8DDA3583A0FE7FD00DD601E652CA0D301D29800AD13FC102038D4A836F99D44E331D3B2FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0............@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95464
                                                                                                                                                                                                                                        Entropy (8bit):6.7987777090492445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nbZYULZ73iO/kwji3FWx+FJ4gwgDNSV2U5ANaudsJvdjsCIrqhZxu3hUlZNO:nHL53D/djPxaJ4gGQU5ANaudsjg9+hZk
                                                                                                                                                                                                                                        MD5:21E18A96C9A2E6F0838DA7BBD272CE21
                                                                                                                                                                                                                                        SHA1:C940F5069CE95083865D2D985682D51296B81257
                                                                                                                                                                                                                                        SHA-256:6CA7A9B8F2600181A4D47FA7090FF37E412687E7EA64BA5CAC4319277BE60C74
                                                                                                                                                                                                                                        SHA-512:1819469664C0DDE5ADFDA140313C32F9874301E103FF74E95AC684BAB71D06668299B8092564993727DF380E276B2400C1E1025D9527F637826BFCDFC9D78E66
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....%.\.....................*.......@............@..........................p......`.......................................4A..<....P...............4...@...`..x... ...8...........................X...@............................................text...|........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..x....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20968
                                                                                                                                                                                                                                        Entropy (8bit):6.629648031240336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uMuUBfWPmqKebW1j2zAAHOOntqVuvTRKzOqUAY8JN77hhecs:JHqKyWMvUutVjO3hob
                                                                                                                                                                                                                                        MD5:955C309947C5CAEFFB429DBF12DC13A1
                                                                                                                                                                                                                                        SHA1:5079A801E91F9ACBE996FBCAE6D402B7E5FC72D9
                                                                                                                                                                                                                                        SHA-256:59BBC2EBBA9CD056FBA8B80FC0E5DA9540D6E50F419216A1BB2A4B3E95AFB480
                                                                                                                                                                                                                                        SHA-512:BD4BBE228378466AD50F2B734438DDBD4FE8F6C7C3B573080834321C99E748512BE8511A927D4FD8B00635D320BEF7B245E05F174988F283B4339E1F8CED1BCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....%.\...........!.....,..........-/.......@...............................`.......y....@......................... :......|3.......................6.......P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10660
                                                                                                                                                                                                                                        Entropy (8bit):7.072232435699263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2vBYcjEdZubhLtaSu9sZscF8Bd1LUEduasnZH5:B0+ZKoqZsHLUHPnh5
                                                                                                                                                                                                                                        MD5:CCC20AC60F19430FBFDA6D49F164654C
                                                                                                                                                                                                                                        SHA1:425253D81B930175321A9B54AB4B6D736D6AF8A2
                                                                                                                                                                                                                                        SHA-256:D96B2FBFDD9245EA1D46994183917340912FE9A07AC569B4F70AD51123E55EDB
                                                                                                                                                                                                                                        SHA-512:F9B9AB9DCF0286F2A5635DD8BE1DF5F7718017EC580B46A217EC4B77615F7D7F0FEF4484886884A912172BF8F6C16252AD5E982205AACAB73152F65A67951475
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........Q.E..\>.i+...171023021614Z0...+.....7.....0...0....R5.3.3.7.3.F.4.5.5.C.1.1.5.0.1.F.5.3.6.B.3.1.E.4.3.E.0.4.0.D.4.C.C.6.A.8.2.0.3.4...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........S7?E\.P.Sk1.>..L. 40V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.5.5.0.5.C.6.8.0.6.1.6.0.4.1.9.C.1.F.7.1.F.4.A.8.0.8.4.4.C.A.8.5.9.D.3.9.9.F.8...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........P\h.......J..L.Y..0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.2.E.E.E.C.2.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4514
                                                                                                                                                                                                                                        Entropy (8bit):3.7907010583152645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:9G2XNDctEXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9XcWEDNRniWI6fyw5I
                                                                                                                                                                                                                                        MD5:9CF8CFC1E0815F7D72D136DE87B08EEA
                                                                                                                                                                                                                                        SHA1:F2EEEC23EC55758E5072619B62E6851234FA6D3C
                                                                                                                                                                                                                                        SHA-256:9CA9C7A430D0B608F1A6ADDD9E2C17BF79845783356CE6230ECA1942A061B157
                                                                                                                                                                                                                                        SHA-512:6D3FEE674C83B1E68CAE7F079F74A70931D432751420300DB77DB2B237A88D81AC3CD8B4B82532DCDDEE5D1DBEF3077ACD97B5890DFA0A497B97D7594E3C15F9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.0./.2.3./.2.0.1.7.,.1...0...2.0.1.7...1.0.2.3.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11975
                                                                                                                                                                                                                                        Entropy (8bit):6.929505838705397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qRVW/ujEdZubhLtaSu9sZscF8Bd1LUY6uasnZHou49L:k+ZKoqZsHLUcPnhou4t
                                                                                                                                                                                                                                        MD5:186504237027590F25BEA0EC539256C8
                                                                                                                                                                                                                                        SHA1:A74309D7CFA8EF410EC85D3801D27291E8BC915A
                                                                                                                                                                                                                                        SHA-256:4CBD88D04F9C3B3DE3625B25049EA6B7C1614FFEA8730667BFF01DD210415ED1
                                                                                                                                                                                                                                        SHA-512:9D4B89A95DBF8D0ABFC55AE44C9CBFB29EB64AB1FFFBB81FFAB4308ED4CFD040F9A883B2B7B7A375B1675DD08532378C38410F4DB737FBDA2913EB28DE18A933
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.....*.H..........0......1.0...`.H.e......0..p..+.....7.....a0..]0...+.....7........6Q..G...Z-.....171023021614Z0...+.....7.....0...0....R3.3.1.5.E.7.A.8.9.7.B.E.4.1.D.7.B.F.9.6.3.D.7.3.4.B.9.E.D.3.4.A.B.4.2.8.B.3.4.3...1..S0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........3...A..=sK..J.(.C0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.1.F.E.C.F.B.D.C.E.6.5.6.6.2.5.C.6.1.8.C.1.4.4.2.3.4.D.6.E.B.9.4.3.9.B.A.C.E.2...1..Q0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........q...ef%...D#Mn.C...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2715
                                                                                                                                                                                                                                        Entropy (8bit):5.418922446200014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:qnch1OKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pcua1YuSnEhn/A7ic4d4y
                                                                                                                                                                                                                                        MD5:07DC873615C74141FB8A646F6FE1D378
                                                                                                                                                                                                                                        SHA1:7E2D32A5ACE72B7F3919215B707096B52CC3B5EC
                                                                                                                                                                                                                                        SHA-256:F97F4A79BF9ACB0D7FFB257CB3E16687F6281B8687C79361B680764F3427EF61
                                                                                                                                                                                                                                        SHA-512:8D59EBD58BFCDBD0115C22148DDFB1DE73E3D0C2AA42B2772B75F12D76BFA4FC3E8356346F0BE9B8F5631443FBCCCFD63354235E701A966CE104BDDC9A4987AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=10/23/2017,1.0.2017.1023..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):46528
                                                                                                                                                                                                                                        Entropy (8bit):6.272518240848504
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ql+LPDB5MAHFg6IWSG1ucVPajIyouwc09euwjsV3xnxhc:ql+Lt5X4WSM1a8youwzOsVxA
                                                                                                                                                                                                                                        MD5:F018A1846A12B5DFF4A5FB0343745BBA
                                                                                                                                                                                                                                        SHA1:C8E871A51E43B5E71A4D1ACA0A791B375CABAC86
                                                                                                                                                                                                                                        SHA-256:3E5D8C95805CAECFC1BF5F689F036D1831E375E573F2B0BFFA4BBB59EA36B853
                                                                                                                                                                                                                                        SHA-512:7DECEBD14950548436EB110F93A5951ABE42B6CACF8A041F77DFCE923FFB28B6B399EC3166F0D64A1B098F9671F73E43D020977D7EC093F7B786038C4A05C3B8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....P.Y.........." .....X...@......@T....................................................`.........................................P...P................................#.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):176576
                                                                                                                                                                                                                                        Entropy (8bit):6.124833448410162
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:WSNRRE5R1pHa9i/hXYTqHDh3ikNrgfxhxe74bgGY53Urb7:WS67jsKCT2d1NsDgGY5387
                                                                                                                                                                                                                                        MD5:37CF508FA1EB389ED85F822BAF9EF9B9
                                                                                                                                                                                                                                        SHA1:1720BEFADBD467FD715CE301545BC1FF02DB4681
                                                                                                                                                                                                                                        SHA-256:FA4CAC0B0361D85CE6220809FA85DFE3B295A187A7B58DD5FE5B06A7CE19F7FA
                                                                                                                                                                                                                                        SHA-512:B90CD035F83245EEDC1FC09ADEDFAC341411CFC47D130B891B2CC83B908F9F683DFFB140AA61F11B7BD15C8A5725070A92659CC567FA58F5879A1790B56833F5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....P.Y.........." .....r...*.......................................................F....`.........................................`M.......M..<................(.......#...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131520
                                                                                                                                                                                                                                        Entropy (8bit):6.5166932980708925
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Si+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo3:h+xNDVCYFB/vqIo3
                                                                                                                                                                                                                                        MD5:A9D5E6605391A4CE7E3699D5C39BA851
                                                                                                                                                                                                                                        SHA1:54950896563D61917A4A61949E8B3552BC85A061
                                                                                                                                                                                                                                        SHA-256:EA06D1A20DDDBF33AA776DE2036651F5B2A2AFF9503A2D7174C11000F92D0396
                                                                                                                                                                                                                                        SHA-512:91FB4793621E8FDE6E62074F8545C4AFB636DBFAF3C236E803325DEE7B2CB33F5F1B183D565D11195912CF6DC2BBDA8F472D844AD8AF5C7738EFCB702D71BB59
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0.......Z....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):115136
                                                                                                                                                                                                                                        Entropy (8bit):6.395746141588922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7d+TsLFRVW08y8ka9xh+V3Un7C8PcYNzAR2k:R+wpCh+Vk7LPcWE0k
                                                                                                                                                                                                                                        MD5:91F0E25E7EDF20F4B262A5419CDF73F2
                                                                                                                                                                                                                                        SHA1:3D09164F4298A0EB1EEC978C1D3CA8259AABA326
                                                                                                                                                                                                                                        SHA-256:D9EF2E7A55DE74FFB18CFD2CD875089B81416B636CB6BD73A6DAFDDD5E3E0BF4
                                                                                                                                                                                                                                        SHA-512:2F4076F08EA9F3960A374F872AA547581811B4D1D225978F4FDFB5E42EF6FE79C491A53B33F7DD1E2B71BE6A281EFE29E7BF8ECFFD660D101F456AC4D456FA75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....P.Y.........."......N...N......,..........@................................................................................................(............@...........#......L.......8............................................................................text............................... ..h.rdata..d,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25536
                                                                                                                                                                                                                                        Entropy (8bit):6.407648101166343
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:FkVsC2/s2Abnkr+YcSIVO67k5hVEi4ZKoqZsHLErHPnhk:nP0bE+YHIO67kLcn2/hk
                                                                                                                                                                                                                                        MD5:1FB5DE2628ECB1E835B18FDA9EB0CF29
                                                                                                                                                                                                                                        SHA1:560AD3A8FC97187403754FBE2F3DBA056948B6CA
                                                                                                                                                                                                                                        SHA-256:D1ADED22243AAF4B8727B064073B9CB1C33214DA01E76D08E69996E52E774538
                                                                                                                                                                                                                                        SHA-512:E51BD203950E4D5DF2E26E59D90D8DC7E0B2D767C58688D2CBAB0BFD5ED5C884A72E029A737FCF1E04C908D7404645EDEC609A2E7C42E6BDCA1CDD04AB2169CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....P.Y.........." .....6...........1....................................................@.........................................pC.......;...............`.......@...#...p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41408
                                                                                                                                                                                                                                        Entropy (8bit):6.573292469340805
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:jbWmecDs6zvVt94VbJqvhkqskgSjyzFigs2Ktmen4hI:jbM6JX0Jq5kNGcsntmer
                                                                                                                                                                                                                                        MD5:33C12C6F8271195C79B755388642FF77
                                                                                                                                                                                                                                        SHA1:ABF3438FC7FF738BF3D030AE68BB16CBF4848462
                                                                                                                                                                                                                                        SHA-256:086E922B53D801F63043D067A185893E5CD6341394B0E8C253D08D85D14B60A5
                                                                                                                                                                                                                                        SHA-512:13B8EEDF0E98476E40DAB4059C6E91C591FA1DD21844151916CA70E1440FE22FA211D53E766D37DF0E494739C7881AF340731FCCAFAE73CAF81733D9FC1E1E88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....P.Y...........!.....N...2.......E.......`......................................%.....@..........................p..T....q.......................~...#..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131520
                                                                                                                                                                                                                                        Entropy (8bit):6.516896540085767
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/i+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo8:K+xNDVCYFB/vqIo8
                                                                                                                                                                                                                                        MD5:F67D8A541D407C6886D6358248014B8E
                                                                                                                                                                                                                                        SHA1:9E17CD44ABBE3B30E0B52FBC5A6012BEA2CFCE61
                                                                                                                                                                                                                                        SHA-256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F
                                                                                                                                                                                                                                        SHA-512:674D9427B3F62382AD56EA647FD131CFF2E78CF31D5E7F608191390E752C382946C4CADB26B556F670C8C4A1C9245D1857841527C755BC505295224C4256C495
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0............@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131520
                                                                                                                                                                                                                                        Entropy (8bit):6.517207826538128
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Bi+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIod:s+xNDVCYFB/vqIod
                                                                                                                                                                                                                                        MD5:66541304390931345318FA3802797820
                                                                                                                                                                                                                                        SHA1:11B3116900D0BB1D9F49E39788C4C21A6B82954E
                                                                                                                                                                                                                                        SHA-256:B9CB315AD55CAD2147AAEBDCCC02055868DAF3EFD9F25384E50E80CE81EC018E
                                                                                                                                                                                                                                        SHA-512:852EF5A95F5827E8BCBC437371FFE6B3959AD41F319721E14804BD143E1597753F0DE4DA86864098F11B4F0698831529054D07B3650AECE83DAB2E5A7C51AE2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0......."....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):88000
                                                                                                                                                                                                                                        Entropy (8bit):6.656236620722421
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1++m+LZZ3SFkKjrZFWUwTK4gCQ7fBr8UQ6SIDXvjeIg6NhUA0d:1LL73SFHjOUaK4gNoUQ6SE7hXNhUA0d
                                                                                                                                                                                                                                        MD5:B36B39A2AA5C15D0167A7D8454AE71A6
                                                                                                                                                                                                                                        SHA1:2CD2E7DAF1762A44F4FD4FC84FFC60D84A2AEFA6
                                                                                                                                                                                                                                        SHA-256:01871A132386F81DFD4894E9DAEB9433C4BE2A99EBE8FEC954E5182A43E96AF0
                                                                                                                                                                                                                                        SHA-512:4BC14EDF6C0A9695764DEAD9C90F502DCDB7F420BD54794539183BFFECD054218290C23C57155EF982F1DAA4B479DAF80B63C7CA643F73AF2A66AC01E96926E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....P.Y.....................*.......@............@..........................p.............................................4A..<....P...............4...#...`..t... ...8...........................X...@............................................text...,........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..t....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22976
                                                                                                                                                                                                                                        Entropy (8bit):6.652405722283548
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pMuUkfWPmqKebW1j2zAAHOOntqVOviZKoqZsHLEF0PnhjIS:VHqKyWMvUOyncIhjIS
                                                                                                                                                                                                                                        MD5:893828FDA5B4026B36C238CBED43BCC2
                                                                                                                                                                                                                                        SHA1:B485E255B2F6F1C294BC127AA2BE14A39C346F56
                                                                                                                                                                                                                                        SHA-256:CEA46DCCAF211E71DE3895C08E7C9A828C53232EDDBC90C0A6E3552826A8DDFA
                                                                                                                                                                                                                                        SHA-512:951598591F2A395F8C5F993A5BD850CED11F43433DF00CF5B12CBAB360949E305A52CDF55A675C8FE59F275432C92D479444C91F71AB39AB342200560972A6A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....P.Y...........!.....,..........-/.......@...............................`.......(....@......................... :......|3.......................6...#...P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8367
                                                                                                                                                                                                                                        Entropy (8bit):7.279860186543382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+2A2RJoIo6vyowJL/aoxhHoe068jSJUbueqw4G:JRaD8YJLFHJ06dUb+w1
                                                                                                                                                                                                                                        MD5:092FF1A83123D816B748F0D382792543
                                                                                                                                                                                                                                        SHA1:C1D1E85955113B8AAB604107738E6B532FE5C706
                                                                                                                                                                                                                                        SHA-256:E81535236E4BDC5534677D05AB3DB67F03283E756233924945CC7D93D394DB5A
                                                                                                                                                                                                                                        SHA-512:7A24AF6CEF474663E615F9BCD5780D97D4249AE8D767EB60927A2BF7B7E66B1777486886C7A053C30301F98E22CCD5AAB7877BC47FA5000C34A707806B198864
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7...........cA.....G....081005153941Z0...+.....7.....0...0....R1.7.C.9.C.C.1.B.2.1.1.8.1.0.C.9.D.B.5.7.8.5.3.B.0.8.5.1.7.E.8.E.F.A.A.7.6.D.C.E...1..702..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............!....W.;.Q~...m.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.9.4.9.3.C.B.6.B.6.B.E.D.A.B.7.E.8.3.E.2.B.8.D.E.C.1.9.5.6.9.2.7.A

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26048
                                                                                                                                                                                                                                        Entropy (8bit):6.292871779652706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:U2dFSGikkp4cE8WWk2lg0ZeE313MrnCbuSLwJiU:deeJlGMroJIiU
                                                                                                                                                                                                                                        MD5:867F3CA0E3A4B57F5BA7519B645AED66
                                                                                                                                                                                                                                        SHA1:837676FE5C7B62AFAA4D49E6AC51EDF948AD1757
                                                                                                                                                                                                                                        SHA-256:1A392E8731E4F01476C54FB4FD408F590D8530C34E3835081886A0056A91E502
                                                                                                                                                                                                                                        SHA-512:27E21584DC54D1996FDFEE2002027061A160E89BD3B7249C017D91900381102674D65282E9B623F002F392BBF8649F0092DE9CB46C70B739A42EE62A3753C8FF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...W...W...W..=,...W...V...W..=*...W..=:...W..=&...W..=+...W..=/...W.Rich..W.........PE..d......H.........." .....2...........7............................................... .......................................................p..(............`..,....J..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......>..............@..HINIT.........p.......@.............. ....rsrc................D..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2255
                                                                                                                                                                                                                                        Entropy (8bit):5.3700497661675906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                                                                                                                                                        MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                                                                                                                                                        SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                                                                                                                                                        SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                                                                                                                                                        SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11712
                                                                                                                                                                                                                                        Entropy (8bit):6.137352195821723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8hD6YJoIo6vyowJL/aoxhHoe068jSJUbueqycZ:8hD6YaD8YJLFHJ06dUb+BZ
                                                                                                                                                                                                                                        MD5:4B6B1EF53636E2C5A9EB9AF291970073
                                                                                                                                                                                                                                        SHA1:868C5A226293EEB37C513E106A80B9EE9A01684A
                                                                                                                                                                                                                                        SHA-256:25444A485A800E2609AD56179146DD24C41E3E56A10969037D4914BAA452DF53
                                                                                                                                                                                                                                        SHA-512:05B3D52E62ABB995B3EA4BEBE7C3D18354124772D97287BAAF4474ADBF9BD537AC258974C1C0B2EC1C7E3779D27D411FE74550FEA77A36D06A6D99FFD0628A7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:f.q[..q[..q[..q[..r[..V.s.t[..V.u.p[..V.e.r[..V.y.p[..V.t.p[..V.p.p[..Richq[..........PE..d...p .G.........."..................P.......................................p......cQ......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                        MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                        SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                        SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                        SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:setupdrv install

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1150
                                                                                                                                                                                                                                        Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                        MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                        SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                        SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                        SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90688
                                                                                                                                                                                                                                        Entropy (8bit):6.200545275172027
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:I/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMXq:I/QNjfCEoAOD0cUVWhmRLARnSDH5y1yv
                                                                                                                                                                                                                                        MD5:6C788D13DEDCD6EB9E022ACA8BD1C3FA
                                                                                                                                                                                                                                        SHA1:741A5342618A0AF7AC6E3F947FB3BC128477E237
                                                                                                                                                                                                                                        SHA-256:0BB050B230CA684DE7021D9B66303C71F408885163B20166E7047C223E0EE01E
                                                                                                                                                                                                                                        SHA-512:9CEEBC23EF82A302250291B0D3584F9CE9328DEA8850F49A3473B6B5392FCE4299AC0535A0F9AAF0A22047293DFD2AC70DF4002E21BF7B1BB1711E9984C9BC33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@.....................................8......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\uninstall.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):411
                                                                                                                                                                                                                                        Entropy (8bit):4.977180725182127
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                                                                                                                                                        MD5:2203EE251159885EF20D6970F67529C3
                                                                                                                                                                                                                                        SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                                                                                                                                                        SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                                                                                                                                                        SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8367
                                                                                                                                                                                                                                        Entropy (8bit):7.270789935373524
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+90+LRJoIo6vyowJL/aoxhHoe068jSJUbueqNb:eBRaD8YJLFHJ06dUb+Nb
                                                                                                                                                                                                                                        MD5:80D00FB5201EE5E66D8230B8440A7643
                                                                                                                                                                                                                                        SHA1:0DD971723322BB0EC8D7EF71D6389F839F6EBE30
                                                                                                                                                                                                                                        SHA-256:C17A1DE10DF4DF8A51E1EE7EDB209E6DEBF34285E327A7C669EF0E04E1BED72C
                                                                                                                                                                                                                                        SHA-512:C01F6AB36E2007E18DE27B46CB51BC8896AF5666FE18F39DADB0DC90B0DAAC2AB6580F31B0B15BD83D5453932A1299AE17E8DBA298D20B656945DEB0506F6AB5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.......r..V5B.r/.9.V...081005153046Z0...+.....7.....0...0....R8.3.5.1.9.D.3.B.C.A.9.2.3.C.F.2.9.A.9.3.D.9.2.E.A.4.1.3.A.5.C.E.D.E.5.B.B.E.0.0...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........Q.;.<........[..0....R8.7.E.8.4.F.A.7.5.6.B.9.8.F.1.4.3.7.F.F.8.F.8.D.D.9.A.2.D.C.B.6.D.0.6.2.8.5.1.5...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........O.V...7......b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.7.9.F.6.E.3.3.5.F.D.E.2.3.6.B.8.1.F.9.D.B.0.D.4.2.F.1.4.8.4.B.7.B

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23488
                                                                                                                                                                                                                                        Entropy (8bit):6.423731919049599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QvTfgigZKPBRDwvp5BY83HV8diQFHbsQaD8YJLFHJ06dUb+DQ:QLfpqKZRDMq6HV89HbsQSLwJiDQ
                                                                                                                                                                                                                                        MD5:55CB63E6661D7A911C74BF39986336AB
                                                                                                                                                                                                                                        SHA1:1F26A92347F58DC9616B611F1E8A29E0E6B94D67
                                                                                                                                                                                                                                        SHA-256:9C5E913DB4B4BE861EEC63C071FBCC6A3BC60A0D11949EC47251780508A83E25
                                                                                                                                                                                                                                        SHA-512:B31838612588A4CA9BB6B7D5DD0EABB69BF8FD41170FA71A0D7357D31BAFDF3075F0DE070160AFB58DAACEC5BB47EF34316E652DE9421B186F91BDCAA2BF58A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..k..k.*.k..k.*.k..k.*.k..k.*.k..k.*.k..kRich..k................PE..L...h..H...........!.....,...........1.......@......................................^a.......................................`..(....p...............@..............p@...............................................@..p............................text....&.......(.................. ..h.rdata..q....@.......,..............@..H.data...@....P.......0..............@...INIT....r....`.......4.............. ....rsrc........p.......8..............@..B.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2243
                                                                                                                                                                                                                                        Entropy (8bit):5.362010783542873
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ehVVpvnf4+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJfJ0di4yMyAXDwlFLB
                                                                                                                                                                                                                                        MD5:AEA986639139A63559A39BE4A9986B39
                                                                                                                                                                                                                                        SHA1:87E84FA756B98F1437FF8F8DD9A2DCB6D0628515
                                                                                                                                                                                                                                        SHA-256:78A01CCC86628727E603A74BF008DBD95B465031EFA6FB52AB9496293E8470E1
                                                                                                                                                                                                                                        SHA-512:37E092646B88E45962737ED696C575F944E15BAD3884442A60D7DE427E8669AE1B3C578CE959D2D304A7668CC84F8F3E0C220A4988D4C15197228466456B3878
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBi

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11712
                                                                                                                                                                                                                                        Entropy (8bit):6.022711070794495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+SniyJoIo6vyowJL/aoxhHoe068jSJUbueqrII:OyaD8YJLFHJ06dUb+J
                                                                                                                                                                                                                                        MD5:B435F95592AD8E6FC3BACD4A7E89B614
                                                                                                                                                                                                                                        SHA1:287FA71A499CB6AA7E806BB6106C7401CD504ACA
                                                                                                                                                                                                                                        SHA-256:331F200BCEA80E55743CE8CCF49B18785F70CAF21C13B15FBA9A3A9D32C6A46E
                                                                                                                                                                                                                                        SHA-512:53373208640AC22F23B4C56D9C9AC32E0837314E736D14FEAF2A571594886A3D6EF42B875980D39FBE9103C101CDAED43740EB026FFFA6019503E39A85E38086
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}K..9*r.9*r.9*r.9*s.:*r.....<*r.....;*r.....8*r.....8*r.Rich9*r.........................PE..L...j .G.............................@....... ...............................p.......b......................................H@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\install.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                        MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                        SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                        SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                        SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:setupdrv install

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1150
                                                                                                                                                                                                                                        Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                        MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                        SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                        SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                        SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):5.9219061141523825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                                                                                                                                                        MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                                                                                                                                                        SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                                                                                                                                                        SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                                                                                                                                                        SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\uninstall.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):405
                                                                                                                                                                                                                                        Entropy (8bit):4.932556842608647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                                                                                                                                                        MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                                                                                                                                                        SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                                                                                                                                                        SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                                                                                                                                                        SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8403
                                                                                                                                                                                                                                        Entropy (8bit):7.26515273733877
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:VafwaRJoIo6vyowJL/aoxhHoe068jSJUbueqO0:VQRaD8YJLFHJ06dUb+O0
                                                                                                                                                                                                                                        MD5:9B3AB5B97500F2C39C75EA2910BC6420
                                                                                                                                                                                                                                        SHA1:42267EA620E0EF5B0F4DBF25B705F1B3C4D03649
                                                                                                                                                                                                                                        SHA-256:32557B63B75CE1DBB761C22092E130561FE6B156CD1D0F96E809E8D0A32E89A6
                                                                                                                                                                                                                                        SHA-512:BFEBCC8BA47E7E0F7FA6218E2A057C3ADD8C570B839ACA3F159495024028A9F6408143FB7A34F2EAD66278401898150A497339BEF3E671A3212055EC73056009
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0. ...*.H........ .0. ....1.0...+......0.....+.....7.....v0..r0...+.....7.........8U<F..n1.L.\..081005153929Z0...+.....7.....0...0....R4.7.2.9.5.6.B.E.1.5.7.7.9.6.F.0.3.4.9.B.9.C.D.9.3.0.D.5.0.9.5.1.B.6.2.F.6.9.B.D...1..C02..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........G)V..w..4...0..Q./i.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1..;02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.F.A.3.A.B.F.9.9.C.2.4.E.2.7.D.8.6.3.9.B.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25536
                                                                                                                                                                                                                                        Entropy (8bit):6.314384276589044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:jdxcojc4oPxNtS4v28b3pnd6DABnOSLwJiz:jdj9oPxjNv2YnPdpIiz
                                                                                                                                                                                                                                        MD5:52E972E497645851FA910787CC2050E0
                                                                                                                                                                                                                                        SHA1:1CE9A93996DFC5F24DF8CAD16E15555BE368B956
                                                                                                                                                                                                                                        SHA-256:B0C07A2912B4EC67CA8A37B890DB33A62CC0DB3A733CD6D146FF6F865D6E4B88
                                                                                                                                                                                                                                        SHA-512:4CADF2BFA9056A1756BB79C4EB2842E8A9A132544305EAB0F1433AF2C890B24DA3614E5E241A86358CF47FBF7F0A783102850346CAB2FA04B1AEDC9B81C79E94
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.].W.].W.].W.].V.F.W...,.^.W...:.Z.W.....\.W.../.\.W.Rich].W.........PE..d......H...........!.....2..........0=..............................................g'.......................................................p..(............`..,....H..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......<..............@..HINIT.........p.......>.............. ....rsrc................B..............@..B.reloc...............F..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2255
                                                                                                                                                                                                                                        Entropy (8bit):5.3700497661675906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                                                                                                                                                        MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                                                                                                                                                        SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                                                                                                                                                        SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                                                                                                                                                        SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11712
                                                                                                                                                                                                                                        Entropy (8bit):6.137468737457105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8CvhDWQJoIo6vyowJL/aoxhHoe068jSJUbueqEQ:hhDWQaD8YJLFHJ06dUb+EQ
                                                                                                                                                                                                                                        MD5:0469611E7DC0A882D123DC89FE386C01
                                                                                                                                                                                                                                        SHA1:7059D4EFBE980F3A355CF8401A33F7EA1E129CD9
                                                                                                                                                                                                                                        SHA-256:BFFA6606A5CCD1F79EF7D0F591BD6EE8FDE28C266EA8C8608D423321174CB87C
                                                                                                                                                                                                                                        SHA-512:FA1ED8E1A312497A1DCFB73F12D545BA298063250FCDC9E03B4EC71DD86C91743104EB322351F4AD1E33CDD3E412E92595EBA03EE860D013B0A2646BCB467327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.g'..g'..g'..g&..g'...\..g'...J..g'...Z..g'...J..g'...V..g'...[..g'..._..g'.Rich.g'.........................PE..d...0 .G.........."..................P.......................................p......u.......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\install.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                        MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                        SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                        SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                        SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:setupdrv install

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1150
                                                                                                                                                                                                                                        Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                        MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                        SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                        SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                        SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90688
                                                                                                                                                                                                                                        Entropy (8bit):6.200844475591763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:D/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMK:D/QNjfCEoAOD0cUVWhmRLARnSDH5y1y3
                                                                                                                                                                                                                                        MD5:137E02F6D5D1BEB5F8096AA34C93545C
                                                                                                                                                                                                                                        SHA1:8550A23A017B440A7D558F4DBC959C643262D803
                                                                                                                                                                                                                                        SHA-256:9CE571A987AEE98698D1A70D39A744A416136370D5659B23DE8C1CC523CEEB83
                                                                                                                                                                                                                                        SHA-512:38DD0F680C3D906307B0BDD835E035D154F0F65DCB69D25455D81F50F6E1ECC3854A507A26B2C1FE029B05EC1BC7ABB974DDB2190BC06B5808C4A14E243E808D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@....................................._......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\uninstall.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):411
                                                                                                                                                                                                                                        Entropy (8bit):4.977180725182127
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                                                                                                                                                        MD5:2203EE251159885EF20D6970F67529C3
                                                                                                                                                                                                                                        SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                                                                                                                                                        SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                                                                                                                                                        SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8367
                                                                                                                                                                                                                                        Entropy (8bit):7.272037405136225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5otYRJoIo6vyowJL/aoxhHoe068jSJUbueqY:nRaD8YJLFHJ06dUb+Y
                                                                                                                                                                                                                                        MD5:89A312ED78E1EDAC37DE5FD1D3E4E0EB
                                                                                                                                                                                                                                        SHA1:0F913D609437D8B4C2D9675E66C650C6344B93D5
                                                                                                                                                                                                                                        SHA-256:065C1A3537BAE5BB645DAC15E068DE3CAEA40E460DF130A05D3CBFE15831E747
                                                                                                                                                                                                                                        SHA-512:A20DF9DEA384F8B52F287A2E16076CA32BF965B46A46B28BF49A1F18F342AA1E19A1B7FA7AD303AC3AB91364D5C18BCF62083360AF54DC5EA9236BD90AB35A1B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.....H.`.O.N@...B...b..081005153452Z0...+.....7.....0...0....R1.E.2.1.E.3.7.E.C.2.C.6.8.4.8.9.E.7.6.D.5.E.C.A.0.4.D.A.3.5.1.6.B.9.4.3.2.7.5.F...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........!.~....m^...5..C'_0....R4.5.3.D.8.9.E.E.3.3.4.F.4.7.2.4.3.C.6.C.C.C.5.3.4.A.D.4.D.4.6.9.B.E.3.0.9.7.2.6...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........E=..3OG$<l.SJ..i.0.&0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.B.0.9.9.7.8.F.8.B.F.D.A.2.5.3.F.D.5.7.9.1.3.5.3.1.2.9.3.B.F.2.6.5

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20288
                                                                                                                                                                                                                                        Entropy (8bit):6.695099027186018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w69hD4isesPZlFwQUWeFtdg4uS8fHt9ndIeBq6H7LFhaD8YJLFHJ06dUb+C1:w6WesRlFwQg1buSCH3nWB6bLPSLwJi2
                                                                                                                                                                                                                                        MD5:775286759FF1211C25A8D65D29024FD0
                                                                                                                                                                                                                                        SHA1:1E8A304D9DBCF3C0AA09AA10304B09B99995C54F
                                                                                                                                                                                                                                        SHA-256:9581581926651D7A2887FD51CE2D7A330333E47C4F91FB34D7B20C058D9B96D2
                                                                                                                                                                                                                                        SHA-512:54D4D0A0547311A6B19D5CB196E98DEF93EB5311F1328FA2B3674E81E157D266B2D8CF78E08E547F3BFE21CA716D4679674B23BCE196D612184840E578DAA806
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................9.b.}...}...}...}...g.......~.....S.z.....R.|.....V.|...Rich}...................PE..L......H...........!.....$...........%.......&...............................3......Jk.......................................,..(....................3.......2......p&...............................................&..l............................text...R!.......!.................. ..h.rdata..q....&.......&..............@..H.data...0....(.......(..............@...INIT....^....,.......,.............. ...

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2239
                                                                                                                                                                                                                                        Entropy (8bit):5.36119317959271
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ehVVpvn2vF+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJQ20di4yMyAXDwlFLB
                                                                                                                                                                                                                                        MD5:D6AEB05521710E2006B4A9E8C07C68C4
                                                                                                                                                                                                                                        SHA1:453D89EE334F47243C6CCC534AD4D469BE309726
                                                                                                                                                                                                                                        SHA-256:F34C416888AEBE90A29948D95BEB8343B7B49CF7E1BB5193716FD97F0330E842
                                                                                                                                                                                                                                        SHA-512:13C61423D966A5A670BED20535BF6EA211FAAAC15CAD7D2E1124A855A27360CD7B97BFE01E5EE368A139DE9CA07B236427A2BEAEAD19F7C72FD610876696D82D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=05/25/2004,1.1..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBinary

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10304
                                                                                                                                                                                                                                        Entropy (8bit):6.601225217483284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:M46n7JoIo6vyowJL/aoxhHoe068jSJUbueqBfg:TW7aD8YJLFHJ06dUb+W
                                                                                                                                                                                                                                        MD5:8CD0D603FF051F283CAEE66853622D65
                                                                                                                                                                                                                                        SHA1:2BAE5B78077F08564AA8DA2DBD8E91C4692BB211
                                                                                                                                                                                                                                        SHA-256:9CF391A95C44F449827004632A3995C66223D24A09CB309CBA2227C94079857E
                                                                                                                                                                                                                                        SHA-512:108DC92D80352C3FB2D3EA06B545AA1C19C492506CD0F9C71BF00FF38C97B7BAA840ABD9B33B1E3CE4A154860F1C9301C3504CD1738CC887870025226EA36C32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................}>..9_..9_..9_..9_..:_...P.<_......;_.....8_.....8_..Rich9_..........................PE..L...X .G...................................................................................................................H...<...............................(....................................................................................text............................... ..h.rdata..............................@..H.data...............................@...INIT............................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\install.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                        MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                        SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                        SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                        SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:setupdrv install

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1150
                                                                                                                                                                                                                                        Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                        MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                        SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                        SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                        SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):5.9219061141523825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                                                                                                                                                        MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                                                                                                                                                        SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                                                                                                                                                        SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                                                                                                                                                        SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\uninstall.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):405
                                                                                                                                                                                                                                        Entropy (8bit):4.932556842608647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                                                                                                                                                        MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                                                                                                                                                        SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                                                                                                                                                        SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                                                                                                                                                        SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28904
                                                                                                                                                                                                                                        Entropy (8bit):6.117643529522381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:e+YCxM04ZZNXkvT4cTMUBZ17XM/Q3HUL+drIKumXOs:eULtXFULWfZ
                                                                                                                                                                                                                                        MD5:87FC012C1B45E780B6CFF6C4F1677C3B
                                                                                                                                                                                                                                        SHA1:C8EDB2EA85AE5EC17232F6E4CC5594AFB4805936
                                                                                                                                                                                                                                        SHA-256:D09E57690C0E9D6FF7EF26C7DD85F2E6D19C8E7B36CC298AEBAE04B16D59CA45
                                                                                                                                                                                                                                        SHA-512:9CD0590444B5FC79CDCD98196D43B027FA17091B49C5246CF9AE97128131BE851D7547BFB5896A2400045CE38901D74A61AEE2DE7D833B178CBDC6EFCC30CBAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sk..7...7...7...>rn.0...7.......>rz.4...>r|.4...>rj.3...>r`.6...>r}.6...>rx.6...Rich7...........................PE..d...@.@R.........."......8......................................................................................................................(.......8....P..X....T..........(....1...............................................0...............................text...F........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@....... ..............@....pdata..X....P.......$..............@..HPAGE....G....`.......(.............. ..`INIT.................D.............. ....rsrc...8............L..............@..B.reloc..t............R..............@..B........................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):193
                                                                                                                                                                                                                                        Entropy (8bit):5.2470977727549695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dYV0K8G6Pm/mec99KfRFQi64hA3C:kid40K8GteerfUibA3C
                                                                                                                                                                                                                                        MD5:1E14B5A16092F96F382E7CC1291A2B8B
                                                                                                                                                                                                                                        SHA1:5CBD16AE4C6570AF42D6DC61C64AC2660FD88F60
                                                                                                                                                                                                                                        SHA-256:D547136F9EDF4066EF4E59864EED1D45EEBAE7FBB338F0068C925B6E6212A0CE
                                                                                                                                                                                                                                        SHA-512:1B5222F0F87C6C4A651868DFF84A7BB69A3C913257F0665DD955AF411AD9FC7D19AA1242F362BA676474CCEDDAC51D2B3A1AAEBA11BAEFEF899C6D5C0F083509
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):207
                                                                                                                                                                                                                                        Entropy (8bit):5.345831283284553
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dRLw0K8G6Pm/MWyec99KfRFQi64hA3C:kidm0K8GtfyerfUibA3C
                                                                                                                                                                                                                                        MD5:0270238B2339619D2CC54585124D1ED3
                                                                                                                                                                                                                                        SHA1:657F624CD74BADB8CB0186731FEDA17A997AD929
                                                                                                                                                                                                                                        SHA-256:01D2B51A0E18924936C30611457CAD5C5CC2A803C4CFD45E0850A92F6C55B6D7
                                                                                                                                                                                                                                        SHA-512:52A05F90023926CE9274C64CDE925C2C6055439201AF932459D4FED3D823D08164C76695FFEBA1763C4F9D76D52AAB2F86E230603E3DC2FB7664256E1856CFF8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon64.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8925
                                                                                                                                                                                                                                        Entropy (8bit):7.166871854157093
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dBsB42FHECwUnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mlv4:kB4UwUnYPL/p1P6j7Tmu
                                                                                                                                                                                                                                        MD5:38BEB031E625E814CFA8F84CEEE2B8FF
                                                                                                                                                                                                                                        SHA1:103C875EE0378BA5375A34E731FB2AFFC07939E1
                                                                                                                                                                                                                                        SHA-256:D441726A3E82AF0DF1C60EDD17B753E59827789BC50E3E79FE957319085F9091
                                                                                                                                                                                                                                        SHA-512:45DAD2545DB7B3A43DA22FB04518320BFE7E601AF053866253A52F887EE7C8919587AB11C448D335758BEFE2633D3D176B022F2E29D2B920F6164A6101F7CC41
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0."...*.H........".0."....1.0...+......0..j..+.....7.....[0..W0...+.....7.......L.L..O..Jm. Ym..130924010058Z0...+.....7.....0..S0....R3.7.4.F.E.D.7.A.4.4.6.6.9.F.1.A.C.7.B.0.7.2.B.0.C.7.1.8.5.5.F.5.B.6.B.0.3.5.C.8...1..m08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........7O.zDf...r...U...5.0....R7.C.8.2.3.8.E.F.3.2.B.A.3.9.C.D.9.C.9.4.D.D.0.5.4.5.0.A.7.D.E.0.E.D.E.1.4.5.D.4...1..e08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|.8.2.9....E.}...E.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1897
                                                                                                                                                                                                                                        Entropy (8bit):5.40875279355006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:jshokavrehezNkgyfROQ9gHwuMgHPgHh2v6YgFR:jMokCcakgMgyIMsAegn
                                                                                                                                                                                                                                        MD5:A68830A694AB983F0CBF2CC735A535E8
                                                                                                                                                                                                                                        SHA1:7C8238EF32BA39CD9C94DD05450A7DE0EDE145D4
                                                                                                                                                                                                                                        SHA-256:6F5CA12FFDFF830B32F02AF03C7B385819CC07BB51AC72A20D69B9C51B2E4112
                                                                                                                                                                                                                                        SHA-512:581478C5A9488227D0C56E34B7AE353C3FA7068D84023AEC14390B31D24B65BED82FD39590C5A7C4875AD25DEF17FC67ACC97C327D4282AD1E11DD9C260A714C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature="$WINDOWS NT$"..Class=Monitor..ClassGUID={4d36e96e-e325-11ce-bfc1-08002be10318}..Provider=%splashtop%..DriverVer=06/19/2013,1.0.0.1..CatalogFile=stdpms.cat....[SourceDisksFiles]..stdpms.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,64bits....[DestinationDirs]..DefaultDestDir = 10..CopyFunctionDriver = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTAMD64....[Vendor.NTx86]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[Vendor.NTAMD64]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[stdpms.Inst]..CopyFiles=CopyFunctionDriver..AddReg=stdpms.AddReg....[stdpms.AddReg]..HKR,,DevLoader,,*ntkern..HKR,,NTMPDriver,,stdpms.sys..HKR,,Description,,%splashtop.DeviceDesc%....[stdpms.Inst.NT]..CopyFiles=CopyFunctionDriver....[stdpms.Inst.NT.Services]..Addservice = stdpms, 0x00000002, stdpms_Service_Inst....[CopyFunctionDriver]..stdpms.sys,,,2....[stdpms_Service_Inst]..DisplayName = %splashtop.SvcDesc%..ServiceTyp

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23272
                                                                                                                                                                                                                                        Entropy (8bit):6.296320987470735
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G7yGlvIydpSkgTyLAykFsAZNOhFB8LHFnYPL/p1P6j7rflo:KyGlvIydQkgTgQFJjrFumXflo
                                                                                                                                                                                                                                        MD5:F44EC7AB90115F60EE5C89C40326E637
                                                                                                                                                                                                                                        SHA1:01BEC4EA8173F191321300587142A6E750728854
                                                                                                                                                                                                                                        SHA-256:C870FAFAD5C6DB27954C0440D9EFDDCE7B9C61D754EF0E77ABF18EFA1055DD90
                                                                                                                                                                                                                                        SHA-512:17FD122441EB1B2DBEAD9D79E0B8DB2CB0D581B930DF140069BD77440AA4F9BF4DB80784F261F57253CF3351546817238AAC81B2D68DA74884C46D514C9A9EDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................fd......ft......fc......ff.....Rich....................PE..L...>.@R.................*...........p.......0..............................................................................p..(.......8............>...............0...............................................0...............................text...l........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@......................@...PAGE.........P...................... ..`INIT.........p.......,.............. ....rsrc...8............4..............@..B.reloc..|............:..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):429
                                                                                                                                                                                                                                        Entropy (8bit):5.13651514908582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kWgfeVKfDFGjdCi4eGjdyE23B1047V1j47V1u477lLWNi:ZoDowvei8XRC4R94RQ4h9
                                                                                                                                                                                                                                        MD5:F42F2B0F25E41755569A7775A5C6F8BA
                                                                                                                                                                                                                                        SHA1:B630C60A3375309731B0B7AC33A9D6E12B44ED50
                                                                                                                                                                                                                                        SHA-256:F026A21D6037169A81AC862A79E4F47C674B34914C1DED36BCDDB8739C838F46
                                                                                                                                                                                                                                        SHA-512:8D9B9335D4767ACFCF651DB62B2B710CC9ECB402980D6A98982A1EA1C0A6F64FBA9762F2A44673CFE5749EE742F5FE68031FCFF968B4B4D2A290E74A0192375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon.exe /r remove *PNP09FF >> inst.log..utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd.exe /u stdpms.inf >> inst.log..:End

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):447
                                                                                                                                                                                                                                        Entropy (8bit):5.223602249135668
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kWgMyeVKfDFGjdd4eGjd0E23B1047V1j47V1u477DLWNi:Z3EDoQeiqXRC4R94RQ4P9
                                                                                                                                                                                                                                        MD5:3ADA65DC27A4580E1CF3FDC58A4A8C79
                                                                                                                                                                                                                                        SHA1:C1D8A0723FE1C586CEA434297CEF96E4E25C847D
                                                                                                                                                                                                                                        SHA-256:21D46DA2DC3808664C0D6028271BE0EEAB25DEFE60653E481238EEE96273E609
                                                                                                                                                                                                                                        SHA-512:B55E5E2CD2C1E48C526DEA70C075810F019942A72C2B0BBEF31E2DC8337B104ED5EB199AD6F0D8A16C6DFF3353193E647011A3E80762E47C9E7C13C6FCD4DBB4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon64.exe /r remove *PNP09FF >> inst.log..utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd64.exe /u stdpms.inf >> inst.log..:End

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):207184
                                                                                                                                                                                                                                        Entropy (8bit):6.508603224700573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:SJzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVDB:SEOb5x2NxqFMi
                                                                                                                                                                                                                                        MD5:BDF578CA45021464EB4C5F2725FADE13
                                                                                                                                                                                                                                        SHA1:17FD8DD28EBE232EDB4A7D5B4A9734D6F48212F3
                                                                                                                                                                                                                                        SHA-256:F9711EC83463C8D7D8D3C2E0493BBDD9C55D55869AD49E327CC1F0612A836B51
                                                                                                                                                                                                                                        SHA-512:611999852027F5E52A786F4C22A77AF75EE3ECB1584AC1F061100248D19AA1C45C31665A38A46604B1D489A049D3CE00EF43DA7A5E427A3A7C1A5EFA0D874526
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P............@.........................@...}...\...........................P.... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214992
                                                                                                                                                                                                                                        Entropy (8bit):6.578816818366091
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                                                                                                                                                        MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                                                                                                                                                        SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                                                                                                                                                        SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                                                                                                                                                        SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147280
                                                                                                                                                                                                                                        Entropy (8bit):6.480280521349599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Sooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7niE:SooyFiJRmbzl4mZYYqHz+1l7iE
                                                                                                                                                                                                                                        MD5:4359D841792BD3A711065BD347503ED4
                                                                                                                                                                                                                                        SHA1:ED3DA69B4DAAEE1E3C6A35B9B22A3608C210B845
                                                                                                                                                                                                                                        SHA-256:D8BAC61DF2126D9203B3823AA40AF05FE7B6F9C5122DEBAB5F8CEADD1119773B
                                                                                                                                                                                                                                        SHA-512:F1FB6B25199CDBD0C40CCCEB069CF3DC32DEEDC2F21C67CC8C22A189115389795B435631EEA30A94EDE19331FACF475A4BD7163522D9AD0EC1DF6118D1E05EAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......Y.....@.............................{.......x....0..............."..P....@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160080
                                                                                                                                                                                                                                        Entropy (8bit):6.481630469427064
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:CizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORlE:CUpX8FYFyB8T2oyRa
                                                                                                                                                                                                                                        MD5:1E478E7F7D20800B958E2D1780C805F6
                                                                                                                                                                                                                                        SHA1:F166DB5211F695BA039DC81C246653EC1B25DC02
                                                                                                                                                                                                                                        SHA-256:9989C6791433F8B7FD05F4750F79F9082DBD28087948A366EA695EAC983150CD
                                                                                                                                                                                                                                        SHA-512:852EFB6AE48B3C4BAD4B8E11DC46AAA4CA37A501AFD568B469BB9ED43A27086916588F370286DD1F51834037777C4D2518310A37A469AE7BE19CFE36F08A98D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ .......................................r....@.............................z............`...............T..P....p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):194896
                                                                                                                                                                                                                                        Entropy (8bit):6.4942111692959354
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:0w8OfdMjstdIxIImJZDpwmw6jse70oSzhiVjkXIS1qPfb3PPqFSqQovoRe9C86/9:0w8wZDxspqPfbuSqQCoSz6/e1+1FiAx3
                                                                                                                                                                                                                                        MD5:F0FCF6CB5986E267A978A0DF86471563
                                                                                                                                                                                                                                        SHA1:214F4BB84F7A1981D30B7C4BC13C7B3E4A5CC8B3
                                                                                                                                                                                                                                        SHA-256:34E4A968A87692DA8A2EF073ADD7E19F32009709B50F7C747D1D8BF261C21CBC
                                                                                                                                                                                                                                        SHA-512:529DFD1E587BE6EA67B464C44CC7A0C1B0F6A9CD663590E7BD0083CC7A68DD8F60FC1E81E26012D71CF5C8BD5EFF4B2FB477D5DBEF3FFA1FF4136CE266B5DA6F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......g....@.............................|............... ...............P.......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):245584
                                                                                                                                                                                                                                        Entropy (8bit):6.433639873152362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:0w+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2Wuw:0drWgFEPNB+MPTHIWjP00Ie3
                                                                                                                                                                                                                                        MD5:FE4F22128776F52062DD8FA74D0B5075
                                                                                                                                                                                                                                        SHA1:3A15B1AD0B5D62D474319A3DB95D985B49537BF1
                                                                                                                                                                                                                                        SHA-256:EC4D01234426AAC9FF2751B209B0484769BEE97A0DC930B1B56A1743CD24B805
                                                                                                                                                                                                                                        SHA-512:163A78CB59061B4B9BE98DC763109744BBBEEDAF8B3CB7EB19A22334AC1F9223880C0E8684FEB4B363C824D9918E72E1B94D5F76AD63235F8C49ADEFC3713637
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0............................................@..........................(..k.......x........!..............P........,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):238928
                                                                                                                                                                                                                                        Entropy (8bit):7.071067596161183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:OG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtBB:99AP2b+mBQVJLnYlETtug5T
                                                                                                                                                                                                                                        MD5:2A397EFDA6D84A15B890D56D4292BA6E
                                                                                                                                                                                                                                        SHA1:F985E4893119E6C30191DE84DA25059B33F902A8
                                                                                                                                                                                                                                        SHA-256:398AEC7557E2E1DB30EFCA6FDA0D7D23940B863B396C1A4FC2BB588294F595E6
                                                                                                                                                                                                                                        SHA-512:A199C2FF26C3A3E1DA54D8386F568FA900B853FE3D3754100904EF3153CD72D672971FF72141D9AE5F5BC467D59E2DDC69856C761BBA9DA4488FC69F52A9E5E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................P...........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):249168
                                                                                                                                                                                                                                        Entropy (8bit):6.2058943183487445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:E/vPLr8AhQh4jhNgZzSNPSVlX4T1FrKT7EjUOkdny+ywlJZcWzV8TMXU7o91y4Rd:i3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ/
                                                                                                                                                                                                                                        MD5:EB8DA0234C4D7C7A58B8FB820AFB4BD2
                                                                                                                                                                                                                                        SHA1:1DED1192371D0B0BF17F5AC908A96A1499C1CABD
                                                                                                                                                                                                                                        SHA-256:88F7BDCB33CDC34B5E8834634A36E2B6A45015016C47EFE4B846A4D202326093
                                                                                                                                                                                                                                        SHA-512:789725D38C041CDC311065E7987CC7E79F9A6C00E2F3ABD37096A04F81258636AB0DA6B99F895CC80DA9F770DB0C594EB8467CCA1B77854E091F8FA18F19200D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H..........................................................]@....@..........................................U..}....J...................)......P.......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):237008
                                                                                                                                                                                                                                        Entropy (8bit):6.30179636306813
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                                                                                                                                                        MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                                                                                                                                                        SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                                                                                                                                                        SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                                                                                                                                                        SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):168784
                                                                                                                                                                                                                                        Entropy (8bit):6.240155377344884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:l0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qM5F:CfaCIJbglCe1Vu0uIDSlOF
                                                                                                                                                                                                                                        MD5:77C729F857CFA38CFE4FCB18EE8F6BAD
                                                                                                                                                                                                                                        SHA1:938F96F880E824D03F1174C3D1CD56922452E5CC
                                                                                                                                                                                                                                        SHA-256:C1C016F2917B395A16936C692C35B8E6CC4C0196C26BC69AA8A686747BA690AD
                                                                                                                                                                                                                                        SHA-512:F921A945EFAD2DF95BAB6574029D6E4502A1C2D52E44550547CE2C812E8D06E8120F9EAB07F728E97F17C4949CC112F20E59938906E0F26988E4F79903BCF658
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................w.....@.........................................`8..{.......x....................v..P...........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):187216
                                                                                                                                                                                                                                        Entropy (8bit):6.244838939180771
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoK4:jvPb6OVrVNJ1ufqBEACjGK
                                                                                                                                                                                                                                        MD5:8E2C3434811B348F7AB9F7DEC6E95C3B
                                                                                                                                                                                                                                        SHA1:349682719857DB46E4A7EBFCEF0F85264B3116F3
                                                                                                                                                                                                                                        SHA-256:11F45D049C8FABF308944D77D17AB3FBB0A7BB5BFA143263B9EFBECA3A568EE3
                                                                                                                                                                                                                                        SHA-512:C271F2BBED3E740D771AF1A3BF684F4CB67C8F9B0D20E7D886817602F76BE8A432B05AB4E2AC8FDFCEEAA194602C81D8C9FFE6E015D224C6DC9C40F125365F5D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n....................................................... ....@.........................................0}..z....r..........................P...............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):244560
                                                                                                                                                                                                                                        Entropy (8bit):6.236867435454928
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RuctDSdRbMOiymM/Cufn5B+1jowgreeTwcL:RqXMOFmA5VwgBE0
                                                                                                                                                                                                                                        MD5:61BD6282DB08405FD08C64BC00CEBF4B
                                                                                                                                                                                                                                        SHA1:EC4391249AE7247162C0D28B50ED73B1DCD11246
                                                                                                                                                                                                                                        SHA-256:A3BF8ED5ACCB8EBCA5C9A4430FA54A492E39160AE2BA51285D241D75F1743848
                                                                                                                                                                                                                                        SHA-512:DFEF9209C57E890F7D29280F6A296C5A9D1C3F496464C9EEA28DB0E1C407F2C5042DF926D442480359A120A93D8C44536C5A0C119C3AB6E7D15685F157E28DD6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`.....................................................@..........................................L..|....@.......... ........*......P............................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):333136
                                                                                                                                                                                                                                        Entropy (8bit):6.120290709944056
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:TJNLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00Io:TJ1j1aVfgFiQ/ug/G1
                                                                                                                                                                                                                                        MD5:8EFFB8A42CBC831CD360E9B1BEF65D98
                                                                                                                                                                                                                                        SHA1:BA78110DA11B7C8C6432F1A128B7D9DF384AE9FD
                                                                                                                                                                                                                                        SHA-256:ECB1BCEA47422DBFD4326669AC5B2DB463088994B12008258EFF2C546237864F
                                                                                                                                                                                                                                        SHA-512:B29D4B954619355A2797A4CA88664BC9679AD1C5EB4A2FE54BAE63399DF06405969B4E2D0098AD6A7C8E0C7A2A9E19F0DE20C5B1D401D933D89D2D71F7A32789
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......5C....@..........................................]..k....S..x........!.......:......P....0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):273232
                                                                                                                                                                                                                                        Entropy (8bit):6.8361644522698635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7j4c/JPjXOQTuGkfIpmWpnETJLnYlETtu/:7j4cBbEZTTJDY+0
                                                                                                                                                                                                                                        MD5:C52E66AE497C51CF73098D494EEBF8F0
                                                                                                                                                                                                                                        SHA1:8E7E38F30FAD35D8ED935B14FFA1BB5A9EABE4D0
                                                                                                                                                                                                                                        SHA-256:F6F7D5C20A078BE7ABD2402316A605F050388C6303D7F3ABC45F201D1FC5F1FD
                                                                                                                                                                                                                                        SHA-512:579E0DD63720B6D004FFBE6AE1686F43B70CEB8722DAC70FD06E5B06682C0F22282374D5394C06398252A2EA8163EA884239A8065EC5807DE1A9389A479CFC36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`............@.............................................|............0...........$......P....P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):867
                                                                                                                                                                                                                                        Entropy (8bit):5.162389785193304
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:XrWWFwD7WR8mI/xOZE
                                                                                                                                                                                                                                        MD5:013784DA9890EAB3D914505857EDF2B7
                                                                                                                                                                                                                                        SHA1:92C9CA11174E98F65AD6898705176ED50EF55F95
                                                                                                                                                                                                                                        SHA-256:CDA5DEBA2BE6CFE1E111DF596AC08D45762A96B14AEC796C4E70F128C0734EAC
                                                                                                                                                                                                                                        SHA-512:9D71BEE329BDDA3B8EA064BB92813062D91079BA841AE50D6CC7D2AEAD27D49279D2857141C02BD5FA565D5C497E9E8E8163579A425F7C87550F1F0EFC194652
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):879
                                                                                                                                                                                                                                        Entropy (8bit):5.190136582088596
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:XrWWFwD7WR8fCI/xOZE
                                                                                                                                                                                                                                        MD5:0A0EE03D0C51915B2815280B476530F4
                                                                                                                                                                                                                                        SHA1:6C074D8E0D462B6E6D0CC5C02BABB88D483E3551
                                                                                                                                                                                                                                        SHA-256:C3FB7578267FA09C4446C926532FD869DD8E74CD20AF2915BBEE32DB4D647C9D
                                                                                                                                                                                                                                        SHA-512:85EC5D2898892F847618D7A10D7DD680839A3D0E55603D56C5C39568E8D7B0F63F7A10BF4B063611B9ECD395BD73B89010B421ADD481CDBEF0A50B3770A9C9F8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_mount.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214
                                                                                                                                                                                                                                        Entropy (8bit):4.631936044721133
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                                                                                                                                                        MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                                                                                                                                                        SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                                                                                                                                                        SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                                                                                                                                                        SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):203
                                                                                                                                                                                                                                        Entropy (8bit):5.068283784998216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                                                                                                                                                        MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                                                                                                                                                        SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                                                                                                                                                        SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                                                                                                                                                        SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17908
                                                                                                                                                                                                                                        Entropy (8bit):6.33935778048778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:fNDJbjaXGStblM2wk0mev6/9IDRfupdYpJIBbIgx+4lMrp2/CsECw8nYe+PjPVhc:n3dw75xa1Sw8nYPLVhtOUez
                                                                                                                                                                                                                                        MD5:2DAC6568B843EBDC5C98598CA32918BE
                                                                                                                                                                                                                                        SHA1:E7740E4BE7F71A82ADBB6E5224D33534E237614C
                                                                                                                                                                                                                                        SHA-256:EB61A0E06BF8C69597F9BB1909E3EB4F926E49800C3F9721FDA3007993DA5EE7
                                                                                                                                                                                                                                        SHA-512:1BC8AA82E68911F5EE1835D19CF49A736C1C35C2F6B4FCD48C3C6FCF7FF6958400D1E815C5E891E172AF9035232175BB00E8A21F5A0590F02DC683F45A6C3D8B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.E...*.H........E.0.E....1.0...`.H.e......0.)...+.....7....(.0.(.0...+.....7....."@..g.O........190419043016Z0...+.....7.....0.(*0....R0.7.B.D.E.B.D.2.1.F.7.7.9.4.E.8.9.E.A.B.D.7.8.5.2.7.7.0.F.9.C.3.C.7.E.4.2.5.0.6...1..Q08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.............w...'p....%.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.9.2.2.5.D.8.6.A.4.8.9.4.8.1.5.2.D.E.3.A.F.3.4.6.4.9.1.B.8.9.3.5.7.9.2.5.3.C.A...1..G06..+.....7...1(0&...F.i.l.e........x.d.n.u.p...g.p.d...0E..+.....7...17050...+.....7.......0!0...+........."]...H.-.4d...W.S.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.3.F.C.5.E.A

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2793
                                                                                                                                                                                                                                        Entropy (8bit):5.507689832444162
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                                                                                                                                                        MD5:313535621266212971E303AF0AF4FE21
                                                                                                                                                                                                                                        SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                                                                                                                                                        SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                                                                                                                                                        SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2543
                                                                                                                                                                                                                                        Entropy (8bit):5.42985763446162
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2uMRFNu4TMlWaDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKc:QFQ4ShC66ZLq7UAq7zq7o
                                                                                                                                                                                                                                        MD5:C228BF417378FD98E4229A2BA3054CAE
                                                                                                                                                                                                                                        SHA1:175CCDA93EF8EDBFAB2F1BE507F64690FE5BECE9
                                                                                                                                                                                                                                        SHA-256:1DFD5E0AD2765E39A614EF56603A749C095DDC00E6F50079CDDDA8E18159E73B
                                                                                                                                                                                                                                        SHA-512:6F9D65AA46B702E55D34532A37B33993AD53AB305679768F419A74B8CE2EF8C494CC877606C3C663545111F1189CE4456798D465C1A5EB4F7B6708DEB2A6B719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F /Q "%

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2513
                                                                                                                                                                                                                                        Entropy (8bit):5.408021383480619
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2uMRFNu4TMlWkDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SDC64ZLq7xq7zq7Z
                                                                                                                                                                                                                                        MD5:DB05A3CA2E7604DC2E29A922A4545075
                                                                                                                                                                                                                                        SHA1:0430C36BD56EAC3F65E0060CE91DC60E31F822C5
                                                                                                                                                                                                                                        SHA-256:9E0BD257BFE859F462EEE9E0F1DC20768425F73C9E90B0F7F5EE450726FBB56F
                                                                                                                                                                                                                                        SHA-512:9FDD486F4F7F5D1ED3CBEF4A2246416F88643E27E76D79A433E5450D8790BA264C3219555A0CB57602BC2E3F884C1E1449EA0688D59355D68E23DBE9499F8B60
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd64.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%WINDIR%

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7680
                                                                                                                                                                                                                                        Entropy (8bit):5.202360830491015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6HbQ34Dthj/wKzGMdCprD4iZ7F+gUABoTndoIvJJGtVAm6XyC7tCEqqb:6Hs4thgNDZ7F+gvqdHvJJ4VR6XPnb
                                                                                                                                                                                                                                        MD5:B6CA717203EF9E8DD1205CAC5D3AF38F
                                                                                                                                                                                                                                        SHA1:818438149A92551042A5D2ABD9000DBE67D93C67
                                                                                                                                                                                                                                        SHA-256:66986A04FDEF120D7F18351648A8737979DFAA3CA82F6504B3EA14F45BEC130C
                                                                                                                                                                                                                                        SHA-512:99D21F55B7E754A2D6063BE9302874D757344893CB496F574C2DB7F124071C361894508BADF7137B17A572EF9792F7E3B3C21292250D76CD33B9863D52A300D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|..|..|..u.!.}..u.7.i..u.0.~..u.'.{..|..W..u.>.~..u.%.}..Rich|..................PE..L.....8R..................................... ....@..........................`......q.....@.................................."..P....@.......................P..T.... ...............................!..@............ ...............................text...>........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216416
                                                                                                                                                                                                                                        Entropy (8bit):6.5890891928333435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8JzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVxy8iK:8EOb5x2NxqFMaP
                                                                                                                                                                                                                                        MD5:D57E38A511B607A79307F6966D5F862A
                                                                                                                                                                                                                                        SHA1:7F66DC176D9BDE0715A9050CAD9BA91785F7B192
                                                                                                                                                                                                                                        SHA-256:EF3A7B03F011CBAD96F503BF12BD151B97BAE1EACC700A7F352D175CCFDDB969
                                                                                                                                                                                                                                        SHA-512:72DF85067747090A20441F052796F5BCED00B4F8268568F14646A0C5A0CCD27DC87C9AFEEC689178F885CEDEE0636D61F238F36348F66E7D2EE940D09130C2C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P......R.....@.........................@...}...\...........................`A... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214992
                                                                                                                                                                                                                                        Entropy (8bit):6.578816818366091
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                                                                                                                                                        MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                                                                                                                                                        SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                                                                                                                                                        SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                                                                                                                                                        SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):156512
                                                                                                                                                                                                                                        Entropy (8bit):6.590357914627137
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Wooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7nkrZg8iE:WooyFiJRmbzl4mZYYqHz+1l7ki8iE
                                                                                                                                                                                                                                        MD5:C892519FE8AE2163C1368579EEC134F3
                                                                                                                                                                                                                                        SHA1:D5C75AABEDAD20373E7CA40CAF5C986C850974BE
                                                                                                                                                                                                                                        SHA-256:B8C8B0F1DB2CEA6FAB3EEE350143BC677DA3A1E4B246325852B8A0B94A4A77D4
                                                                                                                                                                                                                                        SHA-512:7A2C0C78237E8528AD691D2F7377D33FFCCA06925359CAD0B787DF919A81EDDCB9296F1EE446BDE83CECF3520A070E72BE7956838BD1337987B422127121E093
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......(.....@.............................{.......x....0..............."..`A...@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):169312
                                                                                                                                                                                                                                        Entropy (8bit):6.584431984131001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:XizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORTj8i0K:XUpX8FYFyB8T2oyREtK
                                                                                                                                                                                                                                        MD5:4FFADA79BA20A933429F72D3B8CF61D9
                                                                                                                                                                                                                                        SHA1:77E7346EF7E7A31A8000150B4B0E4B21CA3BF381
                                                                                                                                                                                                                                        SHA-256:0FF6DD54C4DC7368BD7BAEFFA8CBD294DB31AA318F8F0FBD9088C15B61EB8854
                                                                                                                                                                                                                                        SHA-512:839ABEBEF1A76D168043C8DDFB6B8DF958CA89C3DF602B5B538EB6398332E785C4B0359CB6DF557252BD1191BCAC5C1E1AED6942D2848B5C898BA2FC8EF8D0B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ ......................................O.....@.............................z............`...............T..`A...p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):204128
                                                                                                                                                                                                                                        Entropy (8bit):6.5795919533739005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9w8wZDxspqPfbuSqQCoSz6/e1+1FiATl8i9:fw3owojmVW0
                                                                                                                                                                                                                                        MD5:B4AD99DFCCB67C77F6C8E142EE5AD5BA
                                                                                                                                                                                                                                        SHA1:D10B7BE8A5C339185B8E409D4C0BE2103230BAA0
                                                                                                                                                                                                                                        SHA-256:5A280F84B70F41D90B122DBC8E8FCBDA414353CC5C87580FA30B3B51B7696207
                                                                                                                                                                                                                                        SHA-512:EEBC321D90737E161B452D6E27398D1CC1D4737DBE90F7FE5C407C1732178E30CD87228FB0C8B6C6F3B118DC7E46985D231F3059996452861BFCA1AD4A098077
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......-....@.............................|............... ...............`A......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254816
                                                                                                                                                                                                                                        Entropy (8bit):6.5058723884762335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:kw+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2wUj8ii:kdrWgFEPNB+MPTHIWjP00IedH
                                                                                                                                                                                                                                        MD5:BB8D8CE6F052BE2BA3A39768528B88C6
                                                                                                                                                                                                                                        SHA1:0C2D48F22C7231C52C9FDDD35120E971ABA05EC4
                                                                                                                                                                                                                                        SHA-256:B61BA88D2BB36A0A56F00C455BBC530703415F176B5715E9D24FAB82CC935140
                                                                                                                                                                                                                                        SHA-512:EF3CED636733BCF45CE4E1D21D33F50945D6FFE2A5478A19D538A30C3071E5F78D539B0E3718EEAF404614EEE182E60AE3697E499C0D7EC769D272CD5B58CCA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0.......................................l....@..........................(..k.......x........!..............`A.......,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):248160
                                                                                                                                                                                                                                        Entropy (8bit):7.1098745205591625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:AG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtvU8il:f9AP2b+mBQVJLnYlETtug5jw
                                                                                                                                                                                                                                        MD5:62945189F63210AFE22EC07C93A323C2
                                                                                                                                                                                                                                        SHA1:ADEE11D641B6BC9E9F46B95388680D291C795A33
                                                                                                                                                                                                                                        SHA-256:DD36F7448202BB06C634DD18F911B830615B61E9849900C7DCD92B1157F2C671
                                                                                                                                                                                                                                        SHA-512:B62D7E7668F2E02330690D373EFB815FBBBD12E771FDB4EA46EDA8386AB8A969DB40158132F8C15ACA65C87CDF8920D46075055BB9B73DF42FD49777DF7EB6BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................`A..........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):258400
                                                                                                                                                                                                                                        Entropy (8bit):6.288592681682295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:I3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ3H+:IUlJVmgh5asJ3+
                                                                                                                                                                                                                                        MD5:372C4A2430E2BF3E0A3C0D51996ADEA5
                                                                                                                                                                                                                                        SHA1:F6F2F8D750D08BE940AE2B655804C106E9C7491D
                                                                                                                                                                                                                                        SHA-256:FE632C826ABA5F694DE6684506B72BDECBFD712E9DE2ACDDDE1F2C880EE2646B
                                                                                                                                                                                                                                        SHA-512:C017A180893D39463068DA5DF647D959603CEE7979CA420963FEF9D09309FCA0B744D7268DC2A0FC4AFCD41F912714CF14003CC9AC5FB6A033AA91962E9981C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H................................................................@..........................................U..}....J...................)......`A......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):237008
                                                                                                                                                                                                                                        Entropy (8bit):6.30179636306813
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                                                                                                                                                        MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                                                                                                                                                        SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                                                                                                                                                        SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                                                                                                                                                        SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178016
                                                                                                                                                                                                                                        Entropy (8bit):6.354805848687379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:X0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qubG8iu:EfaCIJbglCe1Vu0uIDSlWtf
                                                                                                                                                                                                                                        MD5:D16039589730B0C6E6B5227C041FB1B4
                                                                                                                                                                                                                                        SHA1:F8F942DBB62CBC15F7ED0BE8750C9C564638FBF8
                                                                                                                                                                                                                                        SHA-256:ACA0DF6F5EB1DE40506943B30BBDA614F886523C093F5C9A3587C3E1161F0DF0
                                                                                                                                                                                                                                        SHA-512:35ED0D4AD06E4979970CA2AD58B81735E50AAB755605216BB059EBE698B82F6C627F5F7E29ADC9FB3BC58C7EFB4E8ACA2B323F2E2813D4EA7EE39363DE0E1D64
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................K.....@.........................................`8..{.......x....................v..`A..........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196448
                                                                                                                                                                                                                                        Entropy (8bit):6.349185940783631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:lSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoEM8ip:AvPb6OVrVNJ1ufqBEACjG/Y
                                                                                                                                                                                                                                        MD5:A88901EB863EC013B461A84DACB4C795
                                                                                                                                                                                                                                        SHA1:40303F44732A2C8DBEAF4EC13CD32FCED66D8F8A
                                                                                                                                                                                                                                        SHA-256:FF295F8914F76DFE707455FE633BFC42B805BB4D3274C2290E1E5D56A383E969
                                                                                                                                                                                                                                        SHA-512:92BD7F2CE6DB83A744972503B4352ADC210FE10C0BDC026F953A925361365E95B79A4A1CEF3677266AE7178FAC24AA64A353115362E987F1DFD84BA38A6F9B25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n...........................................................@.........................................0}..z....r..........................`A..............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253792
                                                                                                                                                                                                                                        Entropy (8bit):6.319719994714089
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:NuctDSdRbMOiymM/Cufn5B+1jowgreeTwcV1:NqXMOFmA5VwgBEg1
                                                                                                                                                                                                                                        MD5:668A98269B12A2C17E39137AC8D7B716
                                                                                                                                                                                                                                        SHA1:E438E9031338158FE70B9D7821200DC4929380CA
                                                                                                                                                                                                                                        SHA-256:200D323E0842ABC93E22F6D475928AB0DAC6AA9F3824CF8E729E8049852AC54A
                                                                                                                                                                                                                                        SHA-512:E2E425489A084022AE23AF65D4869B24A247E3159DA5ED4E31B0CDB11C0BE30AF9EEA12ECF68F9C8269B60ECC1BB489F3EFDE00F4F8885AA2631EFAB3E54BCBC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`................................................8....@..........................................L..|....@.......... ........*......`A...........................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342368
                                                                                                                                                                                                                                        Entropy (8bit):6.187004427741537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:T7NLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00I7Q:T71j1aVfgFiQ/ug/GMQ
                                                                                                                                                                                                                                        MD5:96BDC666BCD7D432D6C7D4170C8E6046
                                                                                                                                                                                                                                        SHA1:1B705A191731ECA3369435D9906C8275C5D326C2
                                                                                                                                                                                                                                        SHA-256:DC4C32919B533A79D9EA76BDE59975DD149AA9C7B7278B076019C080A3A97C56
                                                                                                                                                                                                                                        SHA-512:DDD9E42633F98A7E5F6F7E3E4571815F9D80EA16084B23A82DBE22E929FD6F0BD791EB3DFA7BB229D73D101C66077C99FE47A5CEAB1DF6917A6E4DF209853162
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......~d....@..........................................]..k....S..x........!.......:......`A...0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):282464
                                                                                                                                                                                                                                        Entropy (8bit):6.880530047125276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tj4c/JPjXOQTuGkfIpmWpnETJLnYlETtuwv:tj4cBbEZTTJDY+jv
                                                                                                                                                                                                                                        MD5:F26D954E0F23049CAA4F698934DB5371
                                                                                                                                                                                                                                        SHA1:B0FC39DFF9871778A767B95F0D1CD6E56F939071
                                                                                                                                                                                                                                        SHA-256:186500D4E31ADF5FA2DC02F112EDE6FCA86C1BC48731EA224CFE83C160ABD1CD
                                                                                                                                                                                                                                        SHA-512:BF79667EC9E85FCC6214BB8B3352DCF4B43A042708F471C293B507574A446D938C4E5981C6E9FA4E81AF98A91B6A72CB678F06B91E064F3FCA48744DC0DFF94F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`...........@.............................................|............0...........$......`A...P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):870
                                                                                                                                                                                                                                        Entropy (8bit):5.164710229415834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:BrWWFwD7WR8mI/xOZE
                                                                                                                                                                                                                                        MD5:50B0957220D10275274CAC025EAA6883
                                                                                                                                                                                                                                        SHA1:8F677ED1CD73A05F634AA06AD6BED1DA4C6BD80F
                                                                                                                                                                                                                                        SHA-256:B76D74AEC705A3F9FD055307A966777ADB279FB06D03524C992E608FE73AEB22
                                                                                                                                                                                                                                        SHA-512:C62DAAC3AC516500D819718BF5697D948B6EB684276A21A80E6E9C26FE5F1D0593D7FE281702D3BC48D2A1897B0EB7BD910CEE0978950C0F6636FB86E72B6BD3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):882
                                                                                                                                                                                                                                        Entropy (8bit):5.192332970304343
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:BrWWFwD7WR8fCI/xOZE
                                                                                                                                                                                                                                        MD5:16BBC22B18C5325649C98DD02F3DDDBF
                                                                                                                                                                                                                                        SHA1:B6F97171D20CBC84DEDB07C304F92B25B5A08450
                                                                                                                                                                                                                                        SHA-256:8C3BED319076C7B27FB5D9CD7DCE31E8EE09624E191BC3D709962426FB12951A
                                                                                                                                                                                                                                        SHA-512:293E8BF93A22021FD80AA95A30965287BF40F5030DA457BC16D004E86C3B3FF8983DA8C0D743A42F1CBF935A2EB8E1CB5FCB488914B51330686B2C60BD1C71B9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_mount.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214
                                                                                                                                                                                                                                        Entropy (8bit):4.631936044721133
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                                                                                                                                                        MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                                                                                                                                                        SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                                                                                                                                                        SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                                                                                                                                                        SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_unmount.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):203
                                                                                                                                                                                                                                        Entropy (8bit):5.068283784998216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                                                                                                                                                        MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                                                                                                                                                        SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                                                                                                                                                        SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                                                                                                                                                        SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19851
                                                                                                                                                                                                                                        Entropy (8bit):6.774813122930257
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UelM68cpgw3otOCxH50u4RkeelMpSfpd/CJHJ2elMSJfApwtNJKGT1hvJNMvIqvQ:EWtO5smIwg9Zh3q8pUclGNbc
                                                                                                                                                                                                                                        MD5:1D56A3F8D7F5DAB184A8CC4FEDDAA173
                                                                                                                                                                                                                                        SHA1:75D291CB96FDC05D54C962F1CB08796EE439B22F
                                                                                                                                                                                                                                        SHA-256:84E1A32B4975E92477CF6A36D8931921DA735EF988E0C09A2B056F2904541B1E
                                                                                                                                                                                                                                        SHA-512:FB58167A98D9309A703F06D5C6414AB707B37E90A26BFC1C0812B10381C116FA6C7C26AC30FC8570B8F87186775BC64E7AF6D409A7D213FC3B4B76B0B7A76FB6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.M...*.H........Mx0.Mt...1.0...`.H.e......0.)...+.....7....).0.).0...+.....7.......m...G..|.O.p...190419044412Z0...+.....7.....0.(.0.... ....z.sXce...j.....Z.j.R...Z.#/.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.s.m.p.l.u.i...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....z.sXce...j.....Z.j.R...Z.#/.0.........w...'p....%.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0.... ...v...f..t..t........n.....d.*1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.w.s.c.r.g.b...i.c.c...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...v...f..t..t........n.....d.*0.... ..T...x....0.DU._........z.^...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........x.d.p.g.s.c.l...g.p.d...0U..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2793
                                                                                                                                                                                                                                        Entropy (8bit):5.507689832444162
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                                                                                                                                                        MD5:313535621266212971E303AF0AF4FE21
                                                                                                                                                                                                                                        SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                                                                                                                                                        SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                                                                                                                                                        SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2561
                                                                                                                                                                                                                                        Entropy (8bit):5.431790187193416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2uMRFNu4TMlWoDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKo:QFQ4SDC66ZLq7UAq7zq7E
                                                                                                                                                                                                                                        MD5:AD8561D2E73AFD63F5A088972D435467
                                                                                                                                                                                                                                        SHA1:FA7F53A308C00B0C5E1ACE95489658840EAF13A3
                                                                                                                                                                                                                                        SHA-256:68C4AF8BB6C4FB75CFA95739DF4E3B288DBBFB141E6851275E2F9EFFCA893015
                                                                                                                                                                                                                                        SHA-512:AA240EFD0EFD508CE48D444997E65DE8A36DE321764196C294F1366A77C3D30AEA6BF31AF53C7644BD3D027284B266D06D0B574E69598D50D44005718F3F2178
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2519
                                                                                                                                                                                                                                        Entropy (8bit):5.407961236238507
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2uMRFNu4TMlWSDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SJC64ZLq7xq7zq7Z
                                                                                                                                                                                                                                        MD5:5FD0095B7389DBEDA4EC394C06AC4657
                                                                                                                                                                                                                                        SHA1:7C5D1C3E2B062F6E993AB34292749B03FD7007A8
                                                                                                                                                                                                                                        SHA-256:692FE4C899554BBFA0A05A0183F46C23A24E48FB4371DC0863B7A24452FE5252
                                                                                                                                                                                                                                        SHA-512:F38926653AF960FE11AD843E7C89BB9DC62C29225D2DF10B0CA9BA4F668637BE053778EE726F42A2DC76FA801593A08A69DE4CDEFCB9BE037CA094D34773A8D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd64.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%W

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdCMYKPrinter.icc

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):849080
                                                                                                                                                                                                                                        Entropy (8bit):6.924819797081704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                                                                                                                                                        MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                                                                                                                                                        SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                                                                                                                                                        SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                                                                                                                                                        SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1808
                                                                                                                                                                                                                                        Entropy (8bit):4.525972600570173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                                                                                                                                                        MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                                                                                                                                                        SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                                                                                                                                                        SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                                                                                                                                                        SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdcolman.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2718
                                                                                                                                                                                                                                        Entropy (8bit):4.658165462032682
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                                                                                                                                                        MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                                                                                                                                                        SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                                                                                                                                                        SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                                                                                                                                                        SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6871
                                                                                                                                                                                                                                        Entropy (8bit):4.6709110049190015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                                                                                                                                                        MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                                                                                                                                                        SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                                                                                                                                                        SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                                                                                                                                                        SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4068
                                                                                                                                                                                                                                        Entropy (8bit):4.508459493570281
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                                                                                                                                                        MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                                                                                                                                                        SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                                                                                                                                                        SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                                                                                                                                                        SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdpgscl.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2522
                                                                                                                                                                                                                                        Entropy (8bit):4.708364933060842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                                                                                                                                                        MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                                                                                                                                                        SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                                                                                                                                                        SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                                                                                                                                                        SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl-PipelineConfig.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2476
                                                                                                                                                                                                                                        Entropy (8bit):5.158189280019379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                                                                                                                                                        MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                                                                                                                                                        SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                                                                                                                                                        SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                                                                                                                                                        SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11986
                                                                                                                                                                                                                                        Entropy (8bit):4.7262628705263445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                                                                                                                                                        MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                                                                                                                                                        SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                                                                                                                                                        SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                                                                                                                                                        SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):475
                                                                                                                                                                                                                                        Entropy (8bit):5.248799523355892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                                                                                                                                                        MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                                                                                                                                                        SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                                                                                                                                                        SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                                                                                                                                                        SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwmark.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1554
                                                                                                                                                                                                                                        Entropy (8bit):4.555759044915239
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                                                                                                                                                        MD5:C922269B15071195905ACE600AC9B02C
                                                                                                                                                                                                                                        SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                                                                                                                                                        SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                                                                                                                                                        SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwscRGB.icc

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):124856
                                                                                                                                                                                                                                        Entropy (8bit):6.796177094859484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                                                                                                                                                        MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                                                                                                                                                        SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                                                                                                                                                        SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                                                                                                                                                        SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdCMYKPrinter.icc

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):849080
                                                                                                                                                                                                                                        Entropy (8bit):6.924819797081704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                                                                                                                                                        MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                                                                                                                                                        SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                                                                                                                                                        SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                                                                                                                                                        SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdbook.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1808
                                                                                                                                                                                                                                        Entropy (8bit):4.525972600570173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                                                                                                                                                        MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                                                                                                                                                        SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                                                                                                                                                        SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                                                                                                                                                        SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdcolman.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2718
                                                                                                                                                                                                                                        Entropy (8bit):4.658165462032682
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                                                                                                                                                        MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                                                                                                                                                        SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                                                                                                                                                        SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                                                                                                                                                        SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnames.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6871
                                                                                                                                                                                                                                        Entropy (8bit):4.6709110049190015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                                                                                                                                                        MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                                                                                                                                                        SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                                                                                                                                                        SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                                                                                                                                                        SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4068
                                                                                                                                                                                                                                        Entropy (8bit):4.508459493570281
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                                                                                                                                                        MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                                                                                                                                                        SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                                                                                                                                                        SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                                                                                                                                                        SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdpgscl.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2522
                                                                                                                                                                                                                                        Entropy (8bit):4.708364933060842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                                                                                                                                                        MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                                                                                                                                                        SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                                                                                                                                                        SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                                                                                                                                                        SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl-PipelineConfig.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2476
                                                                                                                                                                                                                                        Entropy (8bit):5.158189280019379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                                                                                                                                                        MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                                                                                                                                                        SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                                                                                                                                                        SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                                                                                                                                                        SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11986
                                                                                                                                                                                                                                        Entropy (8bit):4.7262628705263445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                                                                                                                                                        MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                                                                                                                                                        SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                                                                                                                                                        SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                                                                                                                                                        SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):475
                                                                                                                                                                                                                                        Entropy (8bit):5.248799523355892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                                                                                                                                                        MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                                                                                                                                                        SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                                                                                                                                                        SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                                                                                                                                                        SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwmark.gpd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1554
                                                                                                                                                                                                                                        Entropy (8bit):4.555759044915239
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                                                                                                                                                        MD5:C922269B15071195905ACE600AC9B02C
                                                                                                                                                                                                                                        SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                                                                                                                                                        SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                                                                                                                                                        SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwscRGB.icc

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):124856
                                                                                                                                                                                                                                        Entropy (8bit):6.796177094859484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                                                                                                                                                        MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                                                                                                                                                        SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                                                                                                                                                        SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                                                                                                                                                        SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55112
                                                                                                                                                                                                                                        Entropy (8bit):6.95804253448452
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+EmCoFSZSI9Xhq7xYQAucXy069A3hKhy06ia3hyKb3LCxLVNe9zLuX:+EmPFSYWXf69A3hK16x3hyKbOnNazSX
                                                                                                                                                                                                                                        MD5:9D62CBDE4079B1BE2CB1B91BDD74E539
                                                                                                                                                                                                                                        SHA1:C54E743DE54B9D1D35CDA8F15562483163A064C0
                                                                                                                                                                                                                                        SHA-256:63347E07C934A788F5996EF91D86F718C273DB6221BF448F0659F70194A65031
                                                                                                                                                                                                                                        SHA-512:E3DE199BAABCB087A07071D67F2A0EE3E0F01E06B23B75B6FDCF1146CE782263E1A63D32B4DAFF3699766FD3922AB41F9DCB4497398DB5F0DA9EA33F5FDDF24C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5..5..5..!..4..!..2..5.....!..3.....>.... .4.....4..Rich5..........................PE..L...;..b.................D...&......0p....... ....@..................................i....@E................................`p..P.......p............n..Hi...........(..8...........................8)............... ...............................text...w........................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):62816
                                                                                                                                                                                                                                        Entropy (8bit):6.690155437787919
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:7FkBLAYEMVmkPGsfD6ppH3hLW6G3heObqQyvzP:75YskPGiDaphWqOuQyvr
                                                                                                                                                                                                                                        MD5:9CE89A1A93E196AA261561B1E5C3AFC6
                                                                                                                                                                                                                                        SHA1:8ECDB82C1C4A9C4431826097EDB11718152AD7A5
                                                                                                                                                                                                                                        SHA-256:CBB084056495566BFC8D933D7094694053ADDB91C190F95F791016CF6368D94D
                                                                                                                                                                                                                                        SHA-512:A4E7E93819CDCFDF0ED468F0138AD2774D2D7D8A587A01A4745F61AC27DFCD41A49922827E7029FC7564DF3866C64464B7B131CEBF3D39AD85D94E533AE53C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+..*.+..*...+...+..+..*.+..*.+L..*...+L.a+.+L..*.+Rich...+................PE..d...8..b.........."......R...8......0..........@.....................................%....`A....................................................<.......p....p..........`i......T....<..8...........................P<...............0..0............................text...)........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE....$7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285
                                                                                                                                                                                                                                        Entropy (8bit):4.794885910225241
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                                                                                                                                                        MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                                                                                                                                                        SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                                                                                                                                                        SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                                                                                                                                                        SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):289
                                                                                                                                                                                                                                        Entropy (8bit):4.864786270026779
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                                                                                                                                                        MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                                                                                                                                                        SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                                                                                                                                                        SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                                                                                                                                                        SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11950
                                                                                                                                                                                                                                        Entropy (8bit):7.350152493437532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mgQzOQtQyQHOQqQWNJCHF1agjEwOXP6hYCe68JGlD/Jn9VOMbSX01k9z3AoXSkqr:INg/k6h3e1GlD/LVNSR9zrVqr
                                                                                                                                                                                                                                        MD5:6E88194D307CE842B43826CA7B473411
                                                                                                                                                                                                                                        SHA1:1C8767D498A53C6287EA89BCEB43A21C4F4AF479
                                                                                                                                                                                                                                        SHA-256:E75BF820E72813D3C46D11502267B3FE445E9A7F05E855DF97811D3E2333EE3A
                                                                                                                                                                                                                                        SHA-512:016B756C585648B0AF746E906302FC021516B0419DBD9B5444B11C709D3C6AE8CF330A1A49D7ACD341846D558FDC18C1DE5B97DA59ED53C887A854B8BDA5679F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7.....y...K.O.."+ H.I..220214055503Z0...+.....7.....0...0......(u..m.,..E5.IhF..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0....6=0..z..-.c..q..xS.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0.... Vf.*...S.....3...7.D.%.Azv).`>1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Vf.*...S.....3...7.D.%.Azv).`>0... .j.[6=uPASr......) .N.g].!i.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .j.[6=uPASr......) .N.g].!i.0.....U....Z....$......1..0...+...

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4338
                                                                                                                                                                                                                                        Entropy (8bit):5.5192534972153515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:2kSMHhlJjFdN5JHzI8LeTMdH33I8vV4xmzAchZ8MMCuj:2kSMHdxdnJHTeT+3B4xm09j
                                                                                                                                                                                                                                        MD5:8E91B0F01FFE8DF22050392F91D8F28D
                                                                                                                                                                                                                                        SHA1:1ECD2875D29F0F6DE62C1DBA4535D7496846B70D
                                                                                                                                                                                                                                        SHA-256:946AE6ACA55B363D7550415372A8A483BEDA152920104EE4675DD4AC2169ECA1
                                                                                                                                                                                                                                        SHA-512:5B421B323084E851154C15E22769BDBA12C555DD8DF949B21719CF13C0549EEE1AC48C4EC4802EC08A725A4515C449BACE6E43F0DC67B54BAB1DB08D2408AA59
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 02/14/2022,1.0.3.0..CatalogFile .= stvad.cat....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVAD.DeviceDesc% =

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):206
                                                                                                                                                                                                                                        Entropy (8bit):4.79285514077006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                                                                                                                                                        MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                                                                                                                                                        SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                                                                                                                                                        SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                                                                                                                                                        SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):212
                                                                                                                                                                                                                                        Entropy (8bit):4.871313263028117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                                                                                                                                                        MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                                                                                                                                                        SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                                                                                                                                                        SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                                                                                                                                                        SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45320
                                                                                                                                                                                                                                        Entropy (8bit):6.720475524234058
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:G9CoFe+yIPYhqU1YQ7YemerV3hvrOyk3hH63:G9PFe3VYq3hvrOX3hH+
                                                                                                                                                                                                                                        MD5:A9D239E41BAED5879255923481C73D11
                                                                                                                                                                                                                                        SHA1:FE581685174CEFCAD994BB8EC1A70537BB8CA626
                                                                                                                                                                                                                                        SHA-256:5118FB2A6A4B1E37AA12544E5864B77733739FB5EFBC4997F3A5A3EF385FE9B9
                                                                                                                                                                                                                                        SHA-512:5460CDDD61A79C9C4982106344F4354E55C93AC996EF7315DE635F2F45EFE8A9BDFF37664137E7307E8C9654BCD16ACC65B8471D08E09DAA798502B0973E3DAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L....0Ca.................D...&......0p....... ....@.................................N.....@E................................xp..P.......p............n...C...........(..8...........................8)..@............ ...............................text............................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53000
                                                                                                                                                                                                                                        Entropy (8bit):6.411029825578745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:HD4P58VeNfba5EMjxMXOkvmWvwDtmmEfdgA5lER3hjgxW3hyB:8PiVeNYEMVz4TVRl+3hjgg3hyB
                                                                                                                                                                                                                                        MD5:E623E53FAE062F43180174FA01E7B6E0
                                                                                                                                                                                                                                        SHA1:7843125E12A3DF5A9DC1FB052CCC34B993A18F00
                                                                                                                                                                                                                                        SHA-256:D68E13044485D730E183449E3F34D45E319199D376C7528FC8DDA87CA5A22034
                                                                                                                                                                                                                                        SHA-512:26E342BC8E28CB447BF4F1FC4F1A7A0CA2186B4AC78CDC062B29CC206ED1FAC2E0825748DF26AA0E893795820A77D6D269F4DFCB2162E5877710D7DE8FD1365B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d....0Ca.........."......R...8......0..........@.........................................`A....................................................<.......p....p...........C......T....<..8...........................P<...............0..0............................text...i........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE.....7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285
                                                                                                                                                                                                                                        Entropy (8bit):4.794885910225241
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                                                                                                                                                        MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                                                                                                                                                        SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                                                                                                                                                        SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                                                                                                                                                        SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):289
                                                                                                                                                                                                                                        Entropy (8bit):4.864786270026779
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                                                                                                                                                        MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                                                                                                                                                        SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                                                                                                                                                        SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                                                                                                                                                        SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18540
                                                                                                                                                                                                                                        Entropy (8bit):7.313988713784432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1+wARK7Nm4UB1LtL8JN77hh/onRK7Nm4UxY28JN77hh07V:8wUh23hRoR83hGV
                                                                                                                                                                                                                                        MD5:52973E06C8A2587300797DEBD419A08C
                                                                                                                                                                                                                                        SHA1:8D13082BEEF0B4240B67F7D04809A25C8CC3834F
                                                                                                                                                                                                                                        SHA-256:AACA5F16D57F7C9CBA15F8420FA57CB0F222F3FD28051FD1C103AEBEBA681D05
                                                                                                                                                                                                                                        SHA-512:60CE0E47DD5B42DB77BBF507AEB939CA26ECA50A5A6F5FF4731D4E65230335BC5F8E47A1B60466B6BB2CACB582F7F0BEACEAA956A2A50D5C5645F0591D4DF8B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.Hh..*.H........HY0.HU...1.0...+......0.....+.....7......0...0...+.....7........[.nA.jC`.S....210916120921Z0...+.....7.....0...0....R5.6.4.E.F.8.7.0.9.0.7.9.8.F.7.A.6.2.5.7.4.B.6.0.2.C.F.3.1.2.3.D.C.E.D.2.3.4.6.3...1..O06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........VN.p.y.zbWK`,..=..4c0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.7.8.1.B.4.C.0.6.1.9.4.5.A.2.E.8.E.0.1.0.E.F.1.2.9.8.5.9.B.D.1.A.A.3.1.3.C.7.5...1..G06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+............a.Z.....)...1<u0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.4.9.D.9.9.6.B.8.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3217
                                                                                                                                                                                                                                        Entropy (8bit):5.702969738113695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:2kQG735yUI8LeHdT3I8vV4xDKKr84QM5MFgWCwj:2kQG7pyye1B4x+I8pj
                                                                                                                                                                                                                                        MD5:1574CF3E123B96142ACF789F852119FF
                                                                                                                                                                                                                                        SHA1:8781B4C061945A2E8E010EF129859BD1AA313C75
                                                                                                                                                                                                                                        SHA-256:3FF183B875687A9A2BAF0FBEFA52AC04CD5E869E6E4FD535CC7D1D1F4825A003
                                                                                                                                                                                                                                        SHA-512:29EA441281BA5A4E7B427335E36D0D6FA2A103D852DD16E460C4BE62E2640AE2117C1C64CFE6BFDC2A22FE9ADDE71B74DB5A1A6BF80D7BE0953FD593401F0311
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer ..= 09/16/2021, 1.0.2.0..CatalogFile .= stvad.cat....[DestinationDirs]..STVAD.CopyList = 10,system32\drivers....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....[Manufacturer]..%MfgName% = Splashtop, NTAMD64, NTx86....[Splashtop.NTAMD64]..%stvad.DeviceDesc% = STVAD, *STVAD....[Splashtop.NTx86]..%stvad.DeviceDesc% = STVAD, *STVAD....[STVAD]..AlsoInstall..= ks.registration(ks.inf),wdmaudio.registration(wdmaudio.inf)..CopyFiles..= STVAD.CopyList..AddReg...= STVAD.AddReg....[STVAD.CopyList]..stvad.sys....[STVAD.Interfaces]..AddInterface.= %KSCATEGORY_AUDIO%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_RENDER%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_CAPTURE%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATE

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):206
                                                                                                                                                                                                                                        Entropy (8bit):4.79285514077006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                                                                                                                                                        MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                                                                                                                                                        SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                                                                                                                                                        SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                                                                                                                                                        SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):212
                                                                                                                                                                                                                                        Entropy (8bit):4.871313263028117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                                                                                                                                                        MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                                                                                                                                                        SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                                                                                                                                                        SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                                                                                                                                                        SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53008
                                                                                                                                                                                                                                        Entropy (8bit):6.847750617309462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:b9aXVnIo4e86mU2IpU88ukl7qqOky4QqSmOOgY3hs3BMBs3hsU4hJt34lz2:b9uV54e8Q6uoramO43hs3h3hsU4/tgy
                                                                                                                                                                                                                                        MD5:48A8D41400F7D4729A0FB3102B2FD7AF
                                                                                                                                                                                                                                        SHA1:709FCD8676F7E618B1D519D7C84422D90EAC81AD
                                                                                                                                                                                                                                        SHA-256:158BF7761E9A254E5D4608E62D11B86A682E505413C86128999F8EDC6294645D
                                                                                                                                                                                                                                        SHA-512:845DA37A4FC90DB0E4D1A0CE51E9436F3AB65289C4CAE189999A72DC516F09750FBE43D681746E5BD0C5E4E90C246BC58ADF95239A19A3E3E71000C0E8B46018
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L...1.'a.................>...&......0p....... ....@.......................................@E................................xp..P.......p............h...g...........(..8............................)..@............ ...............................text...g........................... ..h.rdata..l.... ......................@..H.data...0....0......................@...PAGE....")...@...*.................. ..`INIT....8....p.......X.............. ..b.rsrc...p............^..............@..B.reloc...............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59152
                                                                                                                                                                                                                                        Entropy (8bit):6.649199158440194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Qidu9HV92g74x9xMtsqRdUx2PEvp/MuTP3hs0KI3hsE5Et367SH:09HV92Z9fx/MYP3hs0t3hsE+tK7+
                                                                                                                                                                                                                                        MD5:FFC5D6FFD92E2F5DD7D454B5EA624825
                                                                                                                                                                                                                                        SHA1:22DC6D072A87B95A215735D8A9002757F1C99F4B
                                                                                                                                                                                                                                        SHA-256:BF3806D063FD4982791FA5F5C50DDC5B7F49B40615F6CFCE96016571CA4AF7CB
                                                                                                                                                                                                                                        SHA-512:653CAB148E0CE24DF36C1EC02760F19C9100542FCA5885B665E8F98EE82118B7930D3B9C8BAF18C1D08B5E1D3D5F7B3DDF0041581116BA5973CE30DFF4C4A958
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d...-.'a.........."......H...4......0..........@.....................................g....`A....................................................<.......p....`..h........g......L....+..8........................... ,............... ...............................text............................... ..h.rdata....... ......................@..H.data........@.......&..............@....pdata..h....`.......:..............@..HPAGE.....1...p...2...@.............. ..`INIT.................r.............. ..b.rsrc...p............x..............@..B.reloc..L............|..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):286
                                                                                                                                                                                                                                        Entropy (8bit):4.868409179176479
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:fAjsd94wqJ6dA3OdqA3PMOdyE23PMmfPP0NIgm4OdELV5FaA37:EWH9dAedNtdyE23rH0GpBdM97
                                                                                                                                                                                                                                        MD5:A9A42F8DE6BBE12230621C01C8FD5987
                                                                                                                                                                                                                                        SHA1:360D7B9C960AA8BCFAB960F5BC8FE4C8217BFF1D
                                                                                                                                                                                                                                        SHA-256:377B50263A4EC36A0133666CCC089CC065119FE290FA53D9397D414BFDE6DDF3
                                                                                                                                                                                                                                        SHA-512:CFCBE219768697E54E62F27C0BC318590055BD70BBAB73262ED93B4F7B8A993D6984DB2CE1A0DABE65A2E83204FAE61AB4896BCA56385E49DA7527B4567EDDFD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):290
                                                                                                                                                                                                                                        Entropy (8bit):4.94060950303714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP0NIgm4OdRL6V5FaA37:kWH9dAedDtd0E239H0GpBdm97
                                                                                                                                                                                                                                        MD5:9DC29B6F9CC69C534977BFCDC98E2705
                                                                                                                                                                                                                                        SHA1:4AA931BE2C7297A93CEC4172F48EDDD8DBC4E3AB
                                                                                                                                                                                                                                        SHA-256:78CEDF996370DF8A59521A77BDDB7118610924A02625AA53BFE47975A23B3B8D
                                                                                                                                                                                                                                        SHA-512:5227EFC53C6D12C012691A920ADB77B51E9E939294B7B690774BDC16EFAC877D9D92C409D5197244279F4BE8052CA8FA9FCD37D82178807DABA8D0F528F179A7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon64.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18559
                                                                                                                                                                                                                                        Entropy (8bit):7.313796375225627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5eNwo6RK7Nm4UN1d08JN77hhOd5wTRK7Nm4UhkX88JN77hhOmT:Yw1n33hsd5wFIXf3hsmT
                                                                                                                                                                                                                                        MD5:3BEB01DAE131D8E2F595EA697676FD82
                                                                                                                                                                                                                                        SHA1:E4AE36B125E40E3964C176FAD1A2690317574A15
                                                                                                                                                                                                                                        SHA-256:B2E42C84B27299C6973FC976FF22837D156788A6D423286816DD9B551A959245
                                                                                                                                                                                                                                        SHA-512:DDCEB2EE00865574863F4E6D5CE32A4363FCBC85C42B75AE348FA1A09E1FC5284355A772E127372993560CA634B52447EE6F4CF7261691EB8EEDD0DD95731FEC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.H{..*.H........Hl0.Hh...1.0...+......0.. ..+.....7......0...0...+.....7.....]....qF.3o...!...210826123955Z0...+.....7.....0...0....R2.2.8.8.7.7.B.7.3.E.F.1.0.A.0.A.F.7.3.6.9.3.F.B.2.B.4.F.4.9.F.D.6.D.A.7.4.0.4.9...1..I08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........".w.>....6..+OI.m.@I0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R3.7.8.B.6.D.B.1.6.A.4.1.D.7.F.6.F.1.2.A.D.5.B.B.3.B.3.4.2.D.F.D.9.E.A.0.2.A.8.1...1..Q08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........7.m.jA...*.;4-...*.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.C.C.A.0.5.0.E

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4530
                                                                                                                                                                                                                                        Entropy (8bit):5.531167619033096
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TMuJlJjPHHXkP9bYxHJswZ4xNzp49RY8MMCuqx:TMuFDHX4yR4xNdezqx
                                                                                                                                                                                                                                        MD5:C6F9A3971989361505A22B26F16CBF33
                                                                                                                                                                                                                                        SHA1:228877B73EF10A0AF73693FB2B4F49FD6DA74049
                                                                                                                                                                                                                                        SHA-256:1D08A49A629D67FDC77E6EC38B90F10A2C7788BDE9EDE15075732DA010FCE8DB
                                                                                                                                                                                                                                        SHA-512:B49317454756DD29317838224D2B49A1D4CDB358B0BAE5EFBD6CD7F12CDEE018BF9F3A8D7D1484D64BA158821E3EBDC52D18BD601D999FFB9127A744BD477A3C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature = "$CHICAGO$"..Class = MEDIA..Provider = %ST%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer=08/26/2021,1.0.1.0..CatalogFile = stvspk.cat....[SourceDisksNames.x86]..222 = "STVSpk Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVSpk Driver Disk","",222,\64bits....[SourceDisksFiles]..stvspk.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVSpk.DeviceDesc%=STVSp

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):202
                                                                                                                                                                                                                                        Entropy (8bit):4.8854882526314825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd94wqJ6dA3OdqA3PMOdyE23PMmfPP07:kWH9dAedNtdyE23rH07
                                                                                                                                                                                                                                        MD5:3535AC984A69ED2E778B7F2B77618C94
                                                                                                                                                                                                                                        SHA1:3B6B19524DFAABDA5CF5FD2DD476A0108C928676
                                                                                                                                                                                                                                        SHA-256:98040E1CF91AB05E0341BAE64F1D8AD29077A5351C586F2507CFF4C41CA80A1C
                                                                                                                                                                                                                                        SHA-512:FD92393595D39F6260BB517DF38E82FBAB7BD7A9A79C276DEAFBDC69B123359F3D20C5A5B28AB06EFCB412E64E2AC940FA84FB130EAE9ACC778410119E7BF083
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):208
                                                                                                                                                                                                                                        Entropy (8bit):4.961978816753448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP07:kWH9dAedDtd0E239H07
                                                                                                                                                                                                                                        MD5:754E73406288B7E24396DE0B02C9767D
                                                                                                                                                                                                                                        SHA1:EE115F24C025725D5BC56DAF460CBB25084D1059
                                                                                                                                                                                                                                        SHA-256:A2B082F8CF5944558CA68BEEC0290C49A3E4080E3B364A9A64F6CC203DFD2339
                                                                                                                                                                                                                                        SHA-512:9C378936BE40F532C0866713417DC0F686F8067EE706AD96DC71BA9614378A9ACF1E481C95E25C0AA0C9E63CC23C237FAAB22E49BD773E138543F27C7F0AEA5E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.182836790970066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RnmRA8diIqFr2hrkzbBglwb20HsOANRBUBR+uekbnYPLGKw:5183HrkXBhb2CI7BUBUnCtKw
                                                                                                                                                                                                                                        MD5:3C0B8DA5253B68665362881787681D04
                                                                                                                                                                                                                                        SHA1:8C2925071EBBB1D94B34DBC9B926CC96F3D6674F
                                                                                                                                                                                                                                        SHA-256:8DB1AF7E90197353FD346A2A4D60C7EACD506EBD593A9BCA811DC9C5D420E141
                                                                                                                                                                                                                                        SHA-512:5ED6163BD09A81D50059B816B3D188DDABA7F032C091CD21205F081CA1B4BB902129A5AA87ADF55B5910B193721226F2E82CC53D9A0DF0D833933F798FCF5471
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!v.!v.!v.(.T.$v.!v.2v.(.R.#v.(.D."v.(.N."v.(.S. v.(.V. v.Rich!v.........PE..d...).9S.........." .....$..."....... ..............................................T........................................................p..<.......X....`.......J..........8....0...............................................0...............................text............ .................. ..h.rdata..<....0.......$..............@..H.data........@.......(..............@....pdata.......`.......<..............@..HINIT....T....p.......>.............. ....rsrc...X............B..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12008
                                                                                                                                                                                                                                        Entropy (8bit):6.164676951334965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:C1XYhWsmdZunYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9/6onc:CBYhWsmdknYPL/p1P6j7rtc
                                                                                                                                                                                                                                        MD5:1A2D1119C830079A91FDB0BC96C68E9F
                                                                                                                                                                                                                                        SHA1:6DFD2D9E82F5ABF807402E81F837DEA3FBF24861
                                                                                                                                                                                                                                        SHA-256:758732573D0360444173A9ADFEBC41E6295262A2E128F4A7DA973138BD05E1A6
                                                                                                                                                                                                                                        SHA-512:B8A8F0D970D4ACA797C3AE4F70C32D1068599F1FD802430F75606541F00BCC133B66484DAB0276115E09E39126AC398D54933A7757E4C28EC54FC0E40B869A3C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p.......R.......................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18384
                                                                                                                                                                                                                                        Entropy (8bit):5.784225074424451
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KNpdeIDggm1TgXu0HM9CZFuz9ynYPLGKsH:Kp0f1Tg+CM9COZytKU
                                                                                                                                                                                                                                        MD5:FFF61014618EB5B63F5CBB7457537577
                                                                                                                                                                                                                                        SHA1:E899E392E493F731B900B36FF3C6AD384D35B129
                                                                                                                                                                                                                                        SHA-256:764FFF366A21B3D44F3F43BDED347E8BF6ACAEC3F911AEA07555A3D8E26CB407
                                                                                                                                                                                                                                        SHA-512:E057FC69EBE9E36A8D4DABD23044229450FA606564F28A566233AB014C7433ED515AC0BAE8427E667164518A92F74803719A1DB0066AF17560423C8E6BB6FA9B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i...h...i.......i.....i.....i.......i.......i.Rich..i.................PE..d...).9S.........." .........:..................................................................................................................<.......P....p.......0..........<....0...............................................0...............................text... ........................... ..h.rdata..\....0......................@..H.data....+...@......................@....pdata.......p......."..............@..HINIT.................$.............. ....rsrc...P............(..............@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12008
                                                                                                                                                                                                                                        Entropy (8bit):6.1656019250857135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:C1XVhWcj2sFnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9SPp94v:CBVhWcj2onYPL/p1P6j7rLv
                                                                                                                                                                                                                                        MD5:8A12125138A8F34F9700529363947D5E
                                                                                                                                                                                                                                        SHA1:996729B5B9A1E85F3B911911AF675C51549F6D13
                                                                                                                                                                                                                                        SHA-256:392811F93E8DC4BD0BAEEF0DEDC6879DB667EAC0BE894BC6FBCF5BBB776AC98F
                                                                                                                                                                                                                                        SHA-512:E7AE1C133B9660B791373F1D3BD6765207E6FC1D132687CCE99E267E4945CB9843A47FE53FF0C2A2F20C704F50A8F129514F56675B52FB2C354FC1D829EA62D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p..............................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51
                                                                                                                                                                                                                                        Entropy (8bit):4.239902792442837
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Eyd/MLVLV5rxk6BzX:EydELVLrqM7
                                                                                                                                                                                                                                        MD5:F03B61C1BE8851BF64E2EB97D4A3AF85
                                                                                                                                                                                                                                        SHA1:FE502F4ECD1209B3DADA7AC8F4876ED9FB5264E8
                                                                                                                                                                                                                                        SHA-256:AF5EFC928B43A1A476BEAFC055B19568EBCEE29EF4CEB211353DD218689F833B
                                                                                                                                                                                                                                        SHA-512:D229E472C0FAC83B5B952D368444DDCAC0DB965D033F29AC9EAB8F55D256BC4BFAB0861F21045A6E3B809F5B76AC30917AF321B3DC5F901F982CF477578ABD34
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:utils\devcon.exe install stvideo.inf STVideo_Driver

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77
                                                                                                                                                                                                                                        Entropy (8bit):4.625480821115634
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:EydKiRgLV5rxk6BzJzIvXYRABAC:EydOLrqMqPYRkAC
                                                                                                                                                                                                                                        MD5:70271842A0F3305F9A2922EFE95FBED0
                                                                                                                                                                                                                                        SHA1:8B60A48D3F3CE9BF397B586F88087A291DBE3B89
                                                                                                                                                                                                                                        SHA-256:A537CF622B5DBAD19587CBC8FE08BBCE8BFE7E49497BECA5784723E876F99415
                                                                                                                                                                                                                                        SHA-512:B84A1FE296A36346C9658F1A715114FE5A7518FC1E9B9C7A4D08DDFED760ED15626FCD1751EE361CE2D91FA9B19B75873BAA6ED1BB441BB5170DB50473FC2CD0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:utils\devcon install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7_64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79
                                                                                                                                                                                                                                        Entropy (8bit):4.7040270721314865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:EydRFMyEJLV5rxk6BzJzIvXYRABAC:EydRFYJLrqMqPYRkAC
                                                                                                                                                                                                                                        MD5:C8D6ACDAF26E7B8FDAF2888E0CAE6275
                                                                                                                                                                                                                                        SHA1:B46AF328CF18FA3687AE4D9EE06780C21A12B7D9
                                                                                                                                                                                                                                        SHA-256:DE19F496F5932135FB25AB04EEE9E5A923728DDFBE13499058530239D890240D
                                                                                                                                                                                                                                        SHA-512:79CF0BEDCB07C72B6FFF243F7B6D90116AF1E558290E873863C5BE6994ECB6A7E4D4A0ED33CB05D0AC3699CD2328B3E4613868DECB77D7B0BBA6CF49AD809067
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:utils\devcon64 install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):5.364902287777804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:NpXpb9ygWK86AclLjQ/WzRf8aMKnqPndtQrcaceJe0uqmnYe+PjPGyz/wa4/h:59yD6nlLoWB8a5Od+zcuebZnYPLGK5a
                                                                                                                                                                                                                                        MD5:FD3381A69042E1B01266549549845449
                                                                                                                                                                                                                                        SHA1:C6D8D4BF754DA24C0C9B39DFF0B336120BF3829A
                                                                                                                                                                                                                                        SHA-256:86688C2EAFB525E2E0E6723907E15567E426670C6B9934E129218A45F47B117A
                                                                                                                                                                                                                                        SHA-512:E9CEBA750A44248860A5980475D41358C0E0B78EF65BF823995572AA091804D3AF836A2A456A8C4A394AE57AF2B8589DFBF561D1007A3A600136A0746EFFB479
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w....y...y...y...x...y..n..y..n....y..n..y..n..y.Rich..y.........PE..L...'.9S...........!.........................0......................................s........................................`..<....p..X............:..........H...`0...............................................0..T............................text...<........................... ..h.rdata.......0......................@..H.data........@......................@...INIT.........`.......0.............. ....rsrc...X....p.......2..............@..B.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12008
                                                                                                                                                                                                                                        Entropy (8bit):6.040113518412221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Dq8YdZrnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9NH7:Dqjd9nYPL/p1P6j7rd7
                                                                                                                                                                                                                                        MD5:3C1EBF4DFC9685F1D584F0D6F421391C
                                                                                                                                                                                                                                        SHA1:99FB5FD1A755AC038818776C6FCB964FD027334F
                                                                                                                                                                                                                                        SHA-256:237BC4CD7AC38B503EF2D319C484EEAE07562AB09629C218B5C5BEEB8D5A8586
                                                                                                                                                                                                                                        SHA-512:84C5DCFBAEA40091F7D1D5003414FFA8926B3CEFFADD08071297C5F5A6929557D8EF36BE22181431CA56E773669CD1F15DCFA16494C935EF0C15707102A4A73F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p..............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11728
                                                                                                                                                                                                                                        Entropy (8bit):6.807178448617145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KHpo0tYsmKZWZ3/ECwTnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mOsPkHsV:Pe+jwTnYPL/p1P6j7TmOfHsV
                                                                                                                                                                                                                                        MD5:36F961C6308CB0B919E659EB1B738AFA
                                                                                                                                                                                                                                        SHA1:FC795A8FD24CBB3267474D99922CFF1BEE5F242D
                                                                                                                                                                                                                                        SHA-256:4212786F0C3D5A00502A5926DE4E111BC9ABB84A4953C93DA6E17DCE4EC902E2
                                                                                                                                                                                                                                        SHA-512:923A0C4B1454C4DEDA5AFD423B34D51FD9AECBBFC610006FC062CF031C81D4A2FDC94098E9DCA4FC16B25FE0766ECDEC12F450E8E4BC701F17832D3715F70C91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.-...*.H........-.0.-....1.0...+......0..]..+.....7.....N0..J0...+.....7........PW3.@.<...`.c..140331064154Z0...+.....7.....0...0....R1.5.4.3.1.9.0.6.C.F.3.8.F.8.6.0.1.1.8.5.5.2.3.8.2.B.A.9.6.B.B.D.7.7.6.A.5.7.3.1...1..c0:..+.....7...1,0*...F.i.l.e........s.t.v.i.d.e.o...d.l.l...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........C...8.`..R8+.k.wjW10....R2.9.7.2.3.F.C.3.1.1.0.6.4.6.4.9.3.F.8.2.4.3.9.D.A.8.1.C.0.A.B.A.8.7.B.9.6.3.1.7...1..e0<..+.....7...1.0,...F.i.l.e........s.t.m.i.r.r.o.r...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15824
                                                                                                                                                                                                                                        Entropy (8bit):6.022305855965037
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cdot9XqRolBJB3gP9tRHY8QjSec95NLnYe+PjPGyz/wOgjJ5Q7:cduaCvJQY8QjSz9vnYPLGKGI
                                                                                                                                                                                                                                        MD5:AF512AA3612DEA5C2E2FAE866898EED5
                                                                                                                                                                                                                                        SHA1:803810F8648832AB81DDF3B3C5862077EF6AFD4F
                                                                                                                                                                                                                                        SHA-256:FBBEE200CBD1663A0F6D6F9FAD4502004DD4922C2257CC8AF6CBFB4DE1CBDB12
                                                                                                                                                                                                                                        SHA-512:857D6F4F13ADACE91E7C90B6CADF601C87F3D98C9916C3D6079B153A48B7A9F16A5DB79B92D9E087F1646FE12DD65890292475D2D4DD0C823354EAA0B4BA5939
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)...)...)...)....... ....... ...+... .../... ...(... ...(...Rich)...........PE..L...'.9S...........!.........6............... ...............................................................................`..<....p..P............&..............p ............................................... ..h............................text............................... ..h.rdata....... ......................@..H.data....)...0......................@...INIT....H....`...................... ....rsrc...P....p......................@..B.reloc...............$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4694
                                                                                                                                                                                                                                        Entropy (8bit):5.249583632564649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:E+5iOJLGq6BFPmfsLkfsof96zdUyLiypkTsTetTtqBlFL+WC:E+5iOJLGqsFPmfsLkfs86zdUyLiypkAU
                                                                                                                                                                                                                                        MD5:BA4F5D984CB8611E64BFCEDE9C3B8E93
                                                                                                                                                                                                                                        SHA1:AC67AA1C6C892FC04FC740647815F74C6671DD34
                                                                                                                                                                                                                                        SHA-256:A31E1D6AE465C93B847D47BCECAE94E24B918BFF73DD7D9B31E6789322591DDD
                                                                                                                                                                                                                                        SHA-512:16F3528FA573C612A0CF1BB772FB3C3DE2C4EBA619621E33DE0337D0954DE115BA39FAD0D7FD9816849E2BBC430EB84AAA802AA9F861F0B94EC890C9E19BCEBD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:; stvideo.inf..;..; Installation file (.inf) for the splashtop device...;..; (c) Copyright 2011-2014 Splashtop drivers ..;....[Version]..Signature="$CHICAGO$"..Provider=%splashtop%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=03/31/2014,1.0.2.0..CatalogFile="stvideo.cat"....[SourceDisksNames]..99 = %DiskId%,,,....[SourceDisksNames.amd64]..99 = %DiskId%,,,\64bits....[SourceDisksFiles]..stvideo.dll = 99..stmirror.dll = 99..stvideo.sys = 99..stmirror.sys = 99....[DestinationDirs]..DefaultDestDir = 11..stvideo.Miniport = 12..stvideo.Display = 11..stmirror.Display = 11..stmirror.Miniport = 12....[Manufacturer]..%splashtop% = stvideo_Mfg, NTx86, NTamd64....[stvideo_Mfg.NTx86]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvideo_win7, STVideo_Driver_Win7..%splashtop.MirrorDeviceDesc% = stmirror, STMirror_Driver....[stvideo_Mfg.NTamd64]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvi

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12008
                                                                                                                                                                                                                                        Entropy (8bit):6.040343349200973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Ddg2s4nYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9xu5eF:Di2hnYPL/p1P6j7rxbF
                                                                                                                                                                                                                                        MD5:46DF2F9B00DA96B8603F472EC4BEB416
                                                                                                                                                                                                                                        SHA1:AFB25F23A849DAFECA73DFA6B0DF428619F6224E
                                                                                                                                                                                                                                        SHA-256:8196CA7ED6BF904E00E2A2955AC8288801AA3983384268D5DF85F52AE10FC974
                                                                                                                                                                                                                                        SHA-512:0284D0D1A025AED097C375343018DF023A7058CF741BFDE9D97DC647548BD18C05B068268818E6542954BDBB1FDF0B992277C565865A2084DF9BFA2E33A9FBDC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p.............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57856
                                                                                                                                                                                                                                        Entropy (8bit):6.214858942297855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:T6pztvRXL6L1T9mV0OTpJoNGDP5t2IhmX+o:T4tmL1EXCNGVt2IhmX+o
                                                                                                                                                                                                                                        MD5:3B83E955AB0C3A815E0ED69EB6407C52
                                                                                                                                                                                                                                        SHA1:995657C40BC9A28D36AFEA59FE8549B916F81B95
                                                                                                                                                                                                                                        SHA-256:0C2EBB467661D404BCA91A080CCA0E5836797EFC474B62A3D22FB3419E3C8B52
                                                                                                                                                                                                                                        SHA-512:1943EB1AFE81116657CBB33E87C7683CCF6D9EF22F59E5CEE840705E486A176DB5A7D67114A46ECDFC47A1B351F94DDEC72A05BDFB29CA6709CC696D877FDEBA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X..SX..SX..SQ..Sz..SQ..SH..SQ..S;..SQ..S_..SX..S...SQ..SZ..SQ..SY..SRichX..S........PE..L.....M.....................D....................@..........................0......|.....@.................................T...P............................ ..@...p...................................@...............(............................text...4........................... ..`.rdata... ......."..................@..@.data....+..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542216
                                                                                                                                                                                                                                        Entropy (8bit):6.466753301083591
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:TXL84WA5C/KIcgHrlti0XoppdpRFT/FKf51PnofX09v:TXL84lopcgRti9FT/FKvnuX4v
                                                                                                                                                                                                                                        MD5:BB241F864550BFA8AD2346C65E0CE41C
                                                                                                                                                                                                                                        SHA1:378769EE7D6CA44554103E6A23F1BD20BB9E2564
                                                                                                                                                                                                                                        SHA-256:58C4394BBE98BA2B9344209CDC98F5DB854A385ABEB4C74BD111B0ED661D1D61
                                                                                                                                                                                                                                        SHA-512:68CF0A4CC802A10C218B3155D427DA5DFB6EDEA7671A41D016A5844011896C84490123E008CDAC2A4C5C60150B777F6742BA47A95050DFC1DBDEE20E332765EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.gS..4S..4S..4.`.5Y..4.`.5...4.`.5I..4.l.5C..4.l.5Y..4.l.5...4.`.5B..4S..4...4Gm.5Y..4Gmh4R..4S..4R..4Gm.5R..4RichS..4........PE..d......e.........."....$.....B......p".........@....................................9.....`.................................................d........p...........A.......(......D....&..p....................'..(....%..@............................................text............................... ..`.rdata.............................@..@.data....5..........................@....pdata...A.......B..................@..@_RDATA..\....`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2816416
                                                                                                                                                                                                                                        Entropy (8bit):7.82236063017737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:wVaHMTDMmyUZe4RF+A8LO9Us1BXEne0Nxx4kta2R74IIjvmIFe5mxoDpuBw1s31n:wVTuERKy9v1BXEne0Nxx4kta2V4IIjvZ
                                                                                                                                                                                                                                        MD5:DF362B11095D0F59ECF9DDC0DAF61B12
                                                                                                                                                                                                                                        SHA1:6BB3B490F048FD1306D714651F6C2C488BC318D9
                                                                                                                                                                                                                                        SHA-256:BAFA22DA91BF2B44E4EFBBDFB8D7FB64B6F8A04569F2737EA49C384CDAD193F7
                                                                                                                                                                                                                                        SHA-512:0A03BBF0DEF16E78556041DAC5EF003957384C37F07B08EBC0917921DC30189C2E3CFF7F91F369BD7195A8EE3E84D194113F0D889897C5679DEA263F27821FFE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2..e.........." ......*...... ..0.I..0....................................J.....v.+...`...........................................I.\.....I.<.....I...... G.......*..-..,.I.............................(.I.(...................................................UPX0..... ..............................UPX1......*..0....*.................@....rsrc.........I.......*.............@...3.96.UPX!.$..c-rX...OI>H...*...G.I..l....H....F........@.AWAVATVWUSH.. A..|.........................f.....{...... H.5.....}..g1..H..>t.(...%.....?..v......=u.f=.....<......"g.|.....w..H....M..I..eh.%00.....p..P.7...t$H9.....-...=.uv.T...5!..u......f....,...>.u....H........#.a.2...&/.d......[..a.D...R....t.L..A.....{..O......E1....D.....m. []_^A\A._.a.y(.p...f.._....Uc(L.9^A..1>l..t....y..v.....z....G..w**.....$(...SW...)...,...."[\...=...2s.....E....F1...&;..v....y.wp.....t#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):465928
                                                                                                                                                                                                                                        Entropy (8bit):6.6188868975232875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:nmELSchToqY92QUOMIsV7iPSdutxml26jmlE662:bnAUF1pAb
                                                                                                                                                                                                                                        MD5:12A3EF8EF5D70994B9500FA0801F8903
                                                                                                                                                                                                                                        SHA1:C06C2AC1CC4B7D50DDFD36E32CDB2274618294B7
                                                                                                                                                                                                                                        SHA-256:520C5A35F943B06888A96339EB2B8B5BEEB70046B5835DC0190AF77B4E0824FC
                                                                                                                                                                                                                                        SHA-512:EF4AE07C1F2A636D57F5FA64505CE8CA581FAFD450DAC9FFAED69B84259BC21A3632E401577FA996C5C699352B07325CA7CB4CF82FD46E3C98E506E08B3125E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lyqa...2...2...2.j.3...2.j.3...2.j.3...2.f.3...2.f.3...2.f.3S..2.j.3...2...2...2.g.3...2.g.2...2...2...2.g.3...2Rich...2........PE..L......e...............$.X..........7........p....@..........................@......B ....@.................................4............................(......t8...P..p....................Q...... P..@............p..8............................text....V.......X.................. ..`.rdata...A...p...B...\..............@..@.data....%..........................@....rsrc...............................@..@.reloc..t8.......:..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2581408
                                                                                                                                                                                                                                        Entropy (8bit):7.8335475472495375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:bGF1tZkcS3fy3i9Ov8l6/kKkN6PLsCzvDxg7abakf35UXAtuwHgLYV1G4DW1L6Ky:bs1kcS3fy3pv8l6/kKqiLpPuabakf35n
                                                                                                                                                                                                                                        MD5:348AF13556E619DA13459047DAB625B9
                                                                                                                                                                                                                                        SHA1:6F3CB9022C715AFC6156A44A73D9D10147AB6CA4
                                                                                                                                                                                                                                        SHA-256:75BDBB78A7CEE839496A8E643E2E631D04E243C4B466F3AF7FCD8C8A01288807
                                                                                                                                                                                                                                        SHA-512:344C43F62910CF5D1B31AA3A17E0A581C438055D49DC59071574F3D1A500C0945AFE89C2AB54045140B4EB79221B5A7E0814056C5600055FD3A0D458436D9CC0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[..e...........!.....0'......."...J..."...J.............................. J.....+-(...@......................... .J.\.....J.......J..............6'..-..|.J...............................J.....................................................UPX0......".............................UPX1.....0'..."..*'.................@....rsrc.........J......,'.............@...3.96.UPX!.....'.tl..8..I..''...H.&...o...h.>e....`....f.USWV....D$........tz....M".R...-..........5..p..a1....>t...."}..........h.....9u.=s.Z.^.......>..6...........nd...h.v...k../...t 9.t....{3m.7.u.-.E.n..~.u.j..."L.".}u......2e.J ....PQ.......k.PC..$...z........X.IL.6t......t$.j.....C...1...........^_[]...V.L$.TJ...$......a...P...^^Jf..4...?......UX...._/............F.^|.<.w&.VW...v.t...v%.!."LqO...."..9...,...WJ.d.....)Rj.s...W.h.G]....qA..<$G...C*.+t..G.#..@?.1?.....x7....$./...h..".ul......

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3116552
                                                                                                                                                                                                                                        Entropy (8bit):6.392745373577217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:bPZ5TNGpStg+wTMz3Q8giStLONyAppqk8W+OcVpcL0865eGzYPcL1l:gtMziR8k1DcLv6xL1l
                                                                                                                                                                                                                                        MD5:9CA925B6A0CFA7F8B0222233B3494D05
                                                                                                                                                                                                                                        SHA1:20EF67FDEA63178B92D2BF4755C02687DC9D9022
                                                                                                                                                                                                                                        SHA-256:5C66BE5F5D9A8CD7CBD5F31EF3AAFE7A422186E9B21AC564B58362508BF0583A
                                                                                                                                                                                                                                        SHA-512:FBF69CAB559363EE0C16E4F04A7A3BED101B1B7D96383D2E092DE6EED505522CC7D1FEA1900FB0A63293BDEE34A5006583A1540D61043439CCE4EB12FF505879
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......)r.3m..`m..`m..`.a.aa..`.a.a...`.a.av..`.g.ao..`"o.a|..`"o.ag..`"o.a#..`.a.a`..`m..`...`.o.ae..`.o.al..`.o{`l..`m..`l..`.o.al..`Richm..`........................PE..d...)..d.........." ...".:...`......l^......................................../.....M.0...`..........................................,.X...(.,......0/.h....P-......f/..(...@/.H... .*.p.....................*.(.....*.@............P...............................text...|8.......:.................. ..`.rdata..ZM...P...N...>..............@..@.data........,..p....,.............@....pdata.......P-.......,.............@..@_RDATA..\.... /.....................@..@.rsrc...h....0/.....................@..@.reloc..H....@/.....................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32264
                                                                                                                                                                                                                                        Entropy (8bit):6.549378989734658
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3mFO3OkMgk4tx/knVGuOA0R2dEpYiTPxchfU49:3SO3trenVODR2W7TPxchfUg
                                                                                                                                                                                                                                        MD5:48C3A4A2FA37A0BFC5BD90874A63AF44
                                                                                                                                                                                                                                        SHA1:27A3FBF2603B36DD972401CF8B976FBC282A2C3D
                                                                                                                                                                                                                                        SHA-256:3822BE932AED0A6E5C5A9F3CD80440AD96C8248F187F67324221A58AF5276296
                                                                                                                                                                                                                                        SHA-512:F261A54AF5B0204B8018B5844CDDA6BDC1F399AB3375BF171B8E7081A9BCA583D061F7182EA140E5E2A9E42916C78C2C7256AF516B15EC16AD51AD8ADFBC57EA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:..u[..:..BX..:..BN..:..BI..:..B^..:..:..:..BG..:..BY..:..B\..:.Rich.:.........PE..d......d.........."......*...(......,0.........@....................................<.....@..................................................L..d.......l....p..D....V...(......L....B...............................................@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......D..............@....pdata..D....p.......F..............@..@.rsrc...l............L..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2403848
                                                                                                                                                                                                                                        Entropy (8bit):6.7207202597413875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:FgGdcX0zBXVSNi2z4xw4G7NyzRP1ikMHeBNWHr:F4X2ikxwTNsi7
                                                                                                                                                                                                                                        MD5:4CF09B45FEE4FD22DC22B0AF706E4D80
                                                                                                                                                                                                                                        SHA1:86A6E08A3F7C315F1FDE9A9499EE91EE6A0F1407
                                                                                                                                                                                                                                        SHA-256:4D925CF495ED97B7B73F7A93B01F7C529B55EB4581479120D235DC9263D06A3D
                                                                                                                                                                                                                                        SHA-512:FD4B8E15B5A2C0B5045F039E2498D1CEFA5BB4913E302C56E6B84526279D36378D87E9269435B5AF644BA019CF056BF47E818F192FDD9D35F1AC8CF8D6DDD531
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.q8.."8.."8.."...#*.."...#..."...#/.."...#:.."w..#).."w..#!.."w..#s.."...#5.."8.."..."...#0.."...#9.."..%"9.."8.M"9.."...#9.."Rich8.."........................PE..L......d...........!...".............W........................................$......$...@...........................".X...8."......`#.h.............$..(...p#..o....".p...................@."......".@............................................text............................... ..`.rdata..............................@..@.data...pr...."..N....".............@....rsrc...h....`#.......#.............@..@.reloc...o...p#..p....#.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29192
                                                                                                                                                                                                                                        Entropy (8bit):6.708144938787245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:EJVI3R0H/aWeIUhwNslRPbJyRefvcO+mVMWehLNyb8E9VF6IYiTPxcbdGgktyVEF:EJKMC8NsLPtxcO+AMPlEpYiTPxchOF
                                                                                                                                                                                                                                        MD5:A958758134E6D61D45BA0C4968380A8B
                                                                                                                                                                                                                                        SHA1:F40142518B13782CD2A06844CD8147B337E459DA
                                                                                                                                                                                                                                        SHA-256:30FD28720C7235F45140ED0642A4C71FF0DB1E93362D5694D87026DDA14992F9
                                                                                                                                                                                                                                        SHA-512:1645C335C36AAC6A6BD2A74E41F7176776E70B696705F491CA8CCD6E99A54C3ECBC52E8BA081E9B0E57F5C08E0546D5302A7D28D72C350EC08446D54457360D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U(...I...I...I...Z..I...1Y..I...1O..I...1H..I...1_..I...I..sI...1F..I...1X..I...1]..I..Rich.I..........................PE..L......d.................&... .......+.......@....@.......................................@..................................F..d....`..l............J...(...p......pA...............................C..@............@..H............................text...K$.......&.................. ..`.rdata.......@.......*..............@..@.data...0....P.......:..............@....rsrc...l....`.......<..............@..@.reloc..4....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):107312
                                                                                                                                                                                                                                        Entropy (8bit):6.447984928648711
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:BTeWLZrzci/8dbquofWnRADp2y6hX2hbTYzLhrhkphDZ52DBXN+vl/DFS:BCWFfqbqaGnGzLhr82DBXN+v2
                                                                                                                                                                                                                                        MD5:BCEF2D42768A816AF7CD60391CBA3C0E
                                                                                                                                                                                                                                        SHA1:E17EC512C595318DC5F282CB73B71CFCB0B52A7E
                                                                                                                                                                                                                                        SHA-256:0EA236D80EFFA865F73E728D06790AB5583660EC915C979E8D96CAF692B6FE80
                                                                                                                                                                                                                                        SHA-512:389B36A464C417AAAE16A229F004A01D4F1EBC8F3D8E8A4D12B5AA82D9BA5EDE4A139B3999BAF1D9BF862D3B4BD5A6A0D89CC0A3561E8CA15EF19AA771DEE475
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r...r...r...{...f...{.......{...D...{...}...r.......{...p...l...s...{...s...Richr...........PE..L......U.....................l.......W.......0....@..................................0....@..................................\..........................0............2..............................@N..@............0...............................text............................... ..`.rdata...6...0...8..................@..@.data....-...p.......V..............@....rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):76752
                                                                                                                                                                                                                                        Entropy (8bit):6.281018016209332
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:TMM1hIpiOe7unK1L0RW7Z4tk05ZpJBkkmN6/2EvK6k:TMM/hOeSK1DZ4tk0/B7OEvK6k
                                                                                                                                                                                                                                        MD5:8CED2B2F0E61A1BA20D63B24A41E1234
                                                                                                                                                                                                                                        SHA1:9731E2756EAB7A902DA1A72C0F1DC008425037C5
                                                                                                                                                                                                                                        SHA-256:44DB8AF61B92B39C805B136D2FB608D9D9082F051DDBD9AEE9E3A760B34EFF13
                                                                                                                                                                                                                                        SHA-512:087596DC595B786D74087BCEEA2F1A9B46F4EADCB1162201F32CB05B9BD207520C617AD849CD52788B5C2E579CF72B2B1BB7A5265D10B450B5E6FB8D17D1C07B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].mt...'...'...'v..'=..'v..'...'v..'q..'>+x'...'...'...'...'r..'v..'...'v..'...'v..'...'Rich...'........PE..L.....jP...........!................VE.......................................`...........@.........................`...........d............................@..P.......................................@...............t............................text...'........................... ..`.rdata...8.......:..................@..@.data... 1..........................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91432
                                                                                                                                                                                                                                        Entropy (8bit):6.020228136904558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5UBy2mcawf1jBALblIkWHgMCtd+DIO6iUY:SyNcRjyLKGMCtd+DtDUY
                                                                                                                                                                                                                                        MD5:B510DA2C973FEB05803F124D0507D3A4
                                                                                                                                                                                                                                        SHA1:8F1344CEF1DB998698E1467AD22E30ED3BCE584B
                                                                                                                                                                                                                                        SHA-256:A39DEBD7558B4E769AC277A7D05B532318AB7774490310F76BDFE9E55240D9CA
                                                                                                                                                                                                                                        SHA-512:AFC90D52B19B5E8186C62F5F1B720AB68EB34A997D3099824C7396FCC74D1ED76063BA1541FAAD999806BCFCC375909636E48EF36957157AAD766256B2999E6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7.B.s.,.s.,.s.,.z...b.,.z...K.,.z.....,.z...`.,.s.-...,.z...w.,.m...r.,.z...r.,.Richs.,.................PE..L....^.R............................@9............@..................................?....@.....................................x....0..x;...........L..(....p..X.......................................@...............x............................text...7........................... ..`.rdata..N0.......2..................@..@.data...............................@....rsrc...x;...0...<..................@..@.reloc..z....p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):170960
                                                                                                                                                                                                                                        Entropy (8bit):6.545608024132094
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:k4UWlA7/ZJoE1s76gv/vKnGStqzWTBflx+FOGqK1:PY7/3s76ginGS4zWTBQv
                                                                                                                                                                                                                                        MD5:27CA510E2DDFE647F742F98C2EC6A7F7
                                                                                                                                                                                                                                        SHA1:1F422E39770D9565460F881D078D8C335B678255
                                                                                                                                                                                                                                        SHA-256:41BA7791F830EFBDF5F942A0B6DCF98C6A7D37B7DC06EED21F86AFBED0215C9A
                                                                                                                                                                                                                                        SHA-512:ACBF7A23FB033ADB314466324AF6D1C6F543F6FADB6439B3E80F35467432754396667C9CA511A4D8AC3178BB51CD61EA3D94755436EFA9231EA362282C5FA2E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9..Kv4..9...A7..9...A!..9...A&..9...A1..9...9...9...A(..9...A0..9...k6..9...A3..9..Rich.9..........PE..L...8-,Q...........!................L3...............................................h....@.........................@[......(S..<.......|.......................0....................................G..@...............l............................text............................... ..`.rdata...k.......l..................@..@.data...87...`.......J..............@....rsrc...|............b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):103936
                                                                                                                                                                                                                                        Entropy (8bit):6.507703999296599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:EaNGKlZIYEbXAiOuvw2sk6SDroltixDxnJf8:EUGTFj8uI2IfIxnq
                                                                                                                                                                                                                                        MD5:394B38315694C2F44E9AA9451C9BF2F9
                                                                                                                                                                                                                                        SHA1:E05BD08996AC48D79244B8A96D18478F957A70DA
                                                                                                                                                                                                                                        SHA-256:E5387D1B2972A589DDEAE8E7C4DBEE19F6F88F67C33902343CCCB1C0E4A92FD8
                                                                                                                                                                                                                                        SHA-512:6A4DDB8641F145E4B4249A0E86EBF0D838BFDE48AD4DA3B39C16626EE4060013CBAE817933B4532C022A13B197746600A5A06011DB1F60C1BDA55E4765121FB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}..l~...}..lx.{.}.....}..~...}..y...}..x...}..ly...}..l|...}...|.?.}...t...}...}...}.......}......}.......}.Rich..}.................PE..L....<.g...........!...)..................................................................@.........................pQ...... R..P.......x............n...(...........A..p...................@B.......A..@...............l............................text............................... ..`.rdata..Zk.......l..................@..@.data........`.......J..............@....rsrc...x............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2366976
                                                                                                                                                                                                                                        Entropy (8bit):6.76682262643859
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:YJAPT2mLkbHKnrM8KWYJmxzAw/L31N0rjrPGVn92MyukGrpWsnlLHmsMxHlPww1Q:YGb2mLkbHKnrM8qJmxzAw/L0rnGZyOc4
                                                                                                                                                                                                                                        MD5:F46304F40914BDA59A00A18C420761E5
                                                                                                                                                                                                                                        SHA1:6B67E5B84822D9B1E240DC8D07B3741B51C94E4C
                                                                                                                                                                                                                                        SHA-256:F266591038B49C787C793FAA41015822F9E6437EAE4A7369D51A31728BFABE74
                                                                                                                                                                                                                                        SHA-512:2C33EC66847F1A5D8FE9E9E0838910E2FE2E436DDBBA7E4A56813E459E9DCEDE778B831FE9F41B953BC87439F43B716353CCAD3D681C2C18572074C91EA57C07
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........S2S.2\..2\..2\..@_..2\..@Y.!2\...X..2\..J...2\....2\.._..2\..X..2\..Y..2\..@X..2\..@Z..2\..@]..2\..2]..3\...U..2\......2\..2...2\...^..2\.Rich.2\.........PE..L....?.g...............).....H......;.............@..........................@$......1$...@...................................!.T.....".P.............#..(...."..u......p...............................@.....................!.`....................text...|........................... ..`.rdata..j>.......@..................@..@.data...<.... "..n....".............@....rsrc...P....."......z".............@..@.reloc...u...."..v....".............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2843136
                                                                                                                                                                                                                                        Entropy (8bit):6.540969680142758
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:aKNKKqgp2eVqO3S4oZmb++KyFCiicqlc4XXD1TmRll1kHWV8/zHzJU:aKYKh/VqOBay++hFCinqlc4XXDcRbSW1
                                                                                                                                                                                                                                        MD5:735373F7DC558D52F39EB2513DD4C10A
                                                                                                                                                                                                                                        SHA1:5CE1B5E7346CF9E86A68D0B95050BF2E7D634F27
                                                                                                                                                                                                                                        SHA-256:52075CBAC339A539C75720E774CF52DF81C5D3A63223281533A402FA6FA90009
                                                                                                                                                                                                                                        SHA-512:5C695CB78DE2C77C817E845B2C0E4A1018999A2B1E3E4840DD85EED07EA700155CA29838525662082A262A398558FE53DDAF3130B432D5EB3DFAA887C68DDA04
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).^.H...H...H...:...H...:...H...:...H...:...H...:...H...H..iK......H......H.....TI...0?..H......H....C..H...H+..H......H..Rich.H..........PE..L...J?.g...............)............z.............@...........................+.....I.+...@...................................!.......".............:+..(...`).la.. ...p...........................`...@...............L............................text............................... ..`.rdata..~4.......6..................@..@.data...d.....!..n....!.............@....rsrc........"......2".............@..@.reloc..la...`)..b....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):530944
                                                                                                                                                                                                                                        Entropy (8bit):5.641056197847852
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:XFsO87fqoGW3PX2WUZixCheYRnRoFRygiCSWiU4/+kwltmdfC:VsLGoGW3mRoFPVQ+kw4C
                                                                                                                                                                                                                                        MD5:C026299F6C9A27554298FC4CEB24FDCD
                                                                                                                                                                                                                                        SHA1:DC6B4F9C686BEBFE92BBECE401E5ADB9E2BCB808
                                                                                                                                                                                                                                        SHA-256:73663C75C7E750535081FCE60163BF14AB5D7C7896D0A4F1EA908C8168DEB463
                                                                                                                                                                                                                                        SHA-512:E9DA9E7AD5D36D4A2A2B61034996D89FE096FB9DA12320E26C312276B14CECE8573A96851B2B741C4AA989874A7699543F6A55533A5929C89493267E68FCB876
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.^.#.0G#.0G#.0G..3F(.0G..5F..0G3#3F4.0G3#4F7.0G3#5Fp.0G..4F;.0G..1F..0G#.1G..0Gh"9F6.0Gh".G".0G#..G".0Gh"2F".0GRich#.0G........PE..L...6=.g...............)............P.............@..........................0............@.................................<...........(................(.......(......p...............................@...............,............................text............................... ..`.rdata..T...........................@..@.data...X#..........................@....rsrc...(...........................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2857472
                                                                                                                                                                                                                                        Entropy (8bit):6.527509810041657
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:4eyS1S2t02IzwZMSQlQpES2X4N91O90h6bcU8qR2PWy71kHWj7sijpxY:4e/S2a2I2DpESC4r1s0h6bcU8qR2OgS7
                                                                                                                                                                                                                                        MD5:213A56B9AFE2675592116DAF60195A43
                                                                                                                                                                                                                                        SHA1:D1D393C6197AB2D2FC9B1BB7CA835F919CF88E17
                                                                                                                                                                                                                                        SHA-256:78E85CCB1963D217E08E87A7C9080A5949251A2E3EC83F97A7CDF132F38B4AB1
                                                                                                                                                                                                                                        SHA-512:83C28D95B703915F7841888AD6C2BA6AB9B2DC1700E618FE1813795BC1462BFCB4965ADFFBB2C824CAE789F9422302D3F514A745BEF72558C66F666849918962
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.-C4.C.4.C.4.C...@.(.C...G...C...F..C...E.5.C...B...C.4.B...C.$0@...C.$0G.!.C.$0F...C..1J...C..1..5.C.4...5.C..1A.5.C.Rich4.C.........................PE..L...W?.g...............).T...t.......K.......p....@...........................,......y,...@.................................<.!......0"..d...........r+..(....)..^...,..p....................,......P+..@............p...............................text....S.......T.................. ..`.rdata..N....p.......X..............@..@.data........`!..l...@!.............@....rsrc....d...0"..f....!.............@..@.reloc...^....)..`....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2856448
                                                                                                                                                                                                                                        Entropy (8bit):6.6580102163481385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:TerAnAgEpVQaJKjUn9BvaQPothT86TrcHkroFKPcfoxJmd87ytDWNZe6:arAnhmVQaQ0fothI6TrGkroFKPcfoxJd
                                                                                                                                                                                                                                        MD5:DF313FF4BD970EC0EF608DD3A53D12E0
                                                                                                                                                                                                                                        SHA1:BF0D9CC6D6289703CFEE7CB0107042725D3B2F36
                                                                                                                                                                                                                                        SHA-256:F05D320CF9E438D24DCC3A9E47595B88FCC15AF7C5C9D52DDD05983846EA72A9
                                                                                                                                                                                                                                        SHA-512:F6FD73101095381C0F18E78D8ECEC614664C59037408E213332D67087FAEB07760D5B8F45C32FD630E430222FBFB0C5D06D1F26E9B179E56B43256C6FD4FF858
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-c..L._.L._.L._*>.^.L._L..^.L._n..^.L._*>.^.L._*>.^!L._*>.^.L._*>.^.L._.L._LO._...^.L._...^.L._...^oM._...^.L._..._.L._.L._.L._...^.L._Rich.L._........PE..L....>.g...............).....R....................@...........................,......+...@.................................._!......."..............n+..(....)..f.. k..p....................k......`j..@............................................text............................... ..`.rdata..L...........................@..@.data.........!..l....!.............@....rsrc.........".......!.............@..@.reloc...f....)..h....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):127488
                                                                                                                                                                                                                                        Entropy (8bit):6.663352275525587
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2e+t58tCCtFHqvUPPTe3iiWfFBQGy+bpyF3/7g9krLmr:StWHqvUHTKiTfFBQG6Pskrk
                                                                                                                                                                                                                                        MD5:0A03D00D23A498362506A0507690694A
                                                                                                                                                                                                                                        SHA1:935DAE9F31A2F757E759DFB401BEBB2618CDF995
                                                                                                                                                                                                                                        SHA-256:3741E191500A0614DA4C86BBD3EC651764E015374876DB7095EEE3AFE3356F48
                                                                                                                                                                                                                                        SHA-512:EDE868FD6FCDE0052263A405119E72A5DB98EB5888219F294C218E6CE3246C001B9D4B72253A78DB45E06CFA979071A5BCDADF793AF593DB971801317E014C32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3Al.w ..w ..w ..R..f ..R... ..R..a ..g...d ..g...g ..g...h ..R..t ..w ..' ..<...s ..<...v ..<...v ..w ..v ..<...v ..Richw ..........................PE..L....=.g...........!...).....................@......................................A.....@....................................(........................(......p...(...p...........................h...@............@...............................text...,,.......................... ..`.rdata...u...@...v...2..............@..@.data...............................@....rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2856448
                                                                                                                                                                                                                                        Entropy (8bit):6.657996276797265
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:ZerAnAgEpVQaJKjUn9BvaQPothT86TrcHkroFKPcfoxJmd87ytDWNZeJ:grAnhmVQaQ0fothI6TrGkroFKPcfoxJq
                                                                                                                                                                                                                                        MD5:EC3597A661A7212BBCE927DCACF7B7D8
                                                                                                                                                                                                                                        SHA1:E262C1DA18D9F6B0D191FB28C48ACDD00DF7216F
                                                                                                                                                                                                                                        SHA-256:1B7E64EE8D5EB40372FDF23798C53CA440BE80A915C11946F44898C88D4B1ED9
                                                                                                                                                                                                                                        SHA-512:BAFFB96ACBF785A4A5C9EC89ADF729250EF227EC4DA7BC95380D17F4B65CCBF5E16E5B4484E09D12306ECEE8A2BFE4E0C0B11E1ED54EB758072069A6443A9AD1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-c..L._.L._.L._*>.^.L._L..^.L._n..^.L._*>.^.L._*>.^!L._*>.^.L._*>.^.L._.L._LO._...^.L._...^.L._...^oM._...^.L._..._.L._.L._.L._...^.L._Rich.L._........PE..L....>.g...............).....R....................@...........................,.....E.,...@.................................._!......."..............n+..(....)..f.. k..p....................k......`j..@............................................text............................... ..`.rdata..L...........................@..@.data.........!..l....!.............@....rsrc.........".......!.............@..@.reloc...f....)..h....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2463232
                                                                                                                                                                                                                                        Entropy (8bit):6.463963620672712
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:JEgt0a5NOfMBMjk21auC1nNNcWPnYHkRjrQwPgn1kHW9:JEI0a5iMBMjvQj9NNcWPn00jrQw4nSW9
                                                                                                                                                                                                                                        MD5:B014770C400FFF7EECF19AAEC0052DDB
                                                                                                                                                                                                                                        SHA1:8682AA38F2DE5A2ED636021B2D7A22847C2A66B1
                                                                                                                                                                                                                                        SHA-256:1CDBEE564E8EA0F786A9CE1718FCCD5B1A6AB4EC55E724A1814329B425BE7A59
                                                                                                                                                                                                                                        SHA-512:220D1D1378C39345DE155D0E9E4887949964A6981BC0F27E7EE941F69DDBAF6D42C83218D67AADF783F1A3ABABB3DCCC97517CDE32E2F6BC66BE33076E33C819
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?b..{...{...{...q..a...q..X...q.....q..z...q..V...{.......k...c...k...n...k.......0...m...0.3.z...{.[.z...0...z...Rich{...........PE..L....?.g...............).:...x.......r.......P....@...........................%......#&...@.................................p+..|.......h............n%..(....#.........p...............................@............P..$............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...P....p...X...R..............@....rsrc...h...........................@..@.reloc........#.. ...N#.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142336
                                                                                                                                                                                                                                        Entropy (8bit):6.178708440903101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:+IRS31UwelTwwoJChcq6UfS/Hqvo+h3YcD8DUsWjcd7LXQrd1ee4P4jaVq768hU7:+IvMg6MSq14bP6d1ee4P1Y6
                                                                                                                                                                                                                                        MD5:E0509D5EBA69BF050C5ACD952775DD10
                                                                                                                                                                                                                                        SHA1:089F98FD3A286E74A3F6067332FE26C9F93A6920
                                                                                                                                                                                                                                        SHA-256:4545D6E9D27B4E6693A1381AA9E0305CA887FBD4D742F7380FD5AF933F4F9233
                                                                                                                                                                                                                                        SHA-512:688395661EE7F071F96861DBF9A191B1E7DED991F77CA03BCDC339D78CDA6AB4913BA5181C681ABEA086F942030A6DA134A516204092F3FEA5E93F922077E2E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...6...6...6^'86...6^';6...6^':6...6...6...6S.L6...6..&6...6..?6...6..<6...6..b6...6..96...6Rich...6........PE..L...q?.g...........!.....0...........^.......@...............................@............@......................... ...}...$...P.......x................(...........A..8...............................@............@..d............................text..../.......0.................. ..`.rdata...~...@.......4..............@..@.data..../..........................@....rsrc...x...........................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):94640
                                                                                                                                                                                                                                        Entropy (8bit):6.423065206229182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:iYqYiH1S4d7O6R/S4Ka2ogPgz8KT9Tvx2+wAZLvva24:dqYiV+2Su0wTvI+wwva24
                                                                                                                                                                                                                                        MD5:F6F00886EE605DECD561BD3465151BD5
                                                                                                                                                                                                                                        SHA1:2585353A6B42041244661D260CA7885E269A38C6
                                                                                                                                                                                                                                        SHA-256:126EE74EF2F420292FA5FFC120851D8B62854253568483FCE0DFA4B30F25E0E4
                                                                                                                                                                                                                                        SHA-512:A919E02F81520D285F769CF7E92EE25C85F2EB1949A29FFF022328E10937AA779477D6641F98EAE6720C0986B46240B7B3442693C4FBA0F70E0EA17E3517BB2C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h0...c...c...c...c...c...c...ca..c...c...c...c...c...c...c...c...c...c...c...c...c...c...c...cRich...c................PE..L...Tn.^...........!.........f.......T..............................................u.....@.........................p3..|...h+..P....p...............Z..................................................@...............\............................text............................... ..`.rdata...3.......4..................@..@.data....,...@.......(..............@....rsrc........p.......:..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4838912
                                                                                                                                                                                                                                        Entropy (8bit):6.621698534821433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:T08FkQJp2B2mIzIpvOd4+jJOj8yIFIvgxV5BczbkyCIHItFtSeVdToWOHW4T1ByL:Y8FkQJp2B2mIzIpvOd4+jJOj8yIFIvgH
                                                                                                                                                                                                                                        MD5:08A8BB063D74ACF7BBF4AFCBAEC830FA
                                                                                                                                                                                                                                        SHA1:D3C3C14DF9FCF818DDE3EA9B5F4EBCB29764AF3F
                                                                                                                                                                                                                                        SHA-256:09CB23A674253F947B7F640219C0A3A691FC01CC6F6EF81F9E04FD51E48E3809
                                                                                                                                                                                                                                        SHA-512:051A601DD491E3E8669869F0D603C83B7DB6DA60F811BA6EE621154F88A282FBB9D2B7928E140F2B9120F29347B86A1EE7CCC31E82873E62766ADEE56A418500
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...........!..?... .......%.,...O.^.!....!..(......."......."...).p.!......1......0...0c..!...0c..<...0c.6...0c.H.................!.......... ...q...).w.&...kb......kb..!... .c.!...kb..!...Rich ...................PE..L....=.g...............).@?...........:......`?...@...........................J......_J...@...................................D.......D...............I..(....H..<....B.p.....................B......GA.@............`?.....t.D.@....................text....7?......8?................. ..`.orpc...e....P?......<?............. ..`.rdata.......`?......D?.............@..@.data...le...@D..L... D.............@....rsrc.........D......lD.............@..@.reloc...<....H..>...pH.............@..B................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4838912
                                                                                                                                                                                                                                        Entropy (8bit):6.621699077903857
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:o08FkQJp2B2mIzIpvOd4+jJOj8yIFIvgxV5BczbkyCIHItFtSeVdToWOHW4T1ByI:F8FkQJp2B2mIzIpvOd4+jJOj8yIFIvgc
                                                                                                                                                                                                                                        MD5:C90EB8119820503E069B73383DFDD082
                                                                                                                                                                                                                                        SHA1:0606E9671C588E080BFB2091E3552D3C3AAAF60B
                                                                                                                                                                                                                                        SHA-256:1B782134DE77581C4B8AB8825F41D0F3A5EC94F66CA4F96F5215AC34F95329A0
                                                                                                                                                                                                                                        SHA-512:826FFC7663579CA8F8AA71D9053A6FEE21ED1258FA0331ABF24AEEF4E68341A08ADC17872857D7383B81C3564AAE2E5797875131B6C65400B7CA1B45FAE98D12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...........!..?... .......%.,...O.^.!....!..(......."......."...).p.!......1......0...0c..!...0c..<...0c.6...0c.H.................!.......... ...q...).w.&...kb......kb..!... .c.!...kb..!...Rich ...................PE..L....=.g...............).@?...........:......`?...@...........................J.....T.I...@...................................D.......D...............I..(....H..<....B.p.....................B......GA.@............`?.....t.D.@....................text....7?......8?................. ..`.orpc...e....P?......<?............. ..`.rdata.......`?......D?.............@..@.data...le...@D..L... D.............@....rsrc.........D......lD.............@..@.reloc...<....H..>...pH.............@..B................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1881600
                                                                                                                                                                                                                                        Entropy (8bit):6.693172838045771
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:KlUOwUJBatbEayw2w4vPUCNrZKF+s1r0eMqoyATecHVqxVY7Hvw7toEwLPr6:KGtRl4v9le6Te8qxVYjvw7toEwLPr6
                                                                                                                                                                                                                                        MD5:A011EA2D5C611606189C1015AB7C7A92
                                                                                                                                                                                                                                        SHA1:9B09C5A785E73AE8B6F17F7BAA5954F1C4054DCA
                                                                                                                                                                                                                                        SHA-256:C2220480C5A08046F4B00F79B8E9EAF2D4BDD1D9511A3378E65146F2758ADF50
                                                                                                                                                                                                                                        SHA-512:CEEAF3C04F3C0D3D2A0E48CF69C7B2BDE6C12AE8C1D91EB5C8D5E1C74D1CF73E44791648E38DBD4348F17A4CF9B18A669F6C7F9D155AB0DFE8E929A1A0B988D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........b.........................s.......s.............$......$......$......$.............................=.........%..M...%...........%.....Rich...................PE..L....>.g...............).....V.......6............@.......................... ............@..............................................6...............(.......,...,..p....................-..........@...................T...@....................text............................... ..`.rdata...\.......^..................@..@.data...`........0..................@....rsrc....6.......8...*..............@..@.reloc...,.......,...b..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):330248
                                                                                                                                                                                                                                        Entropy (8bit):6.7899102550791
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4aXIREBEBRS1izV0CyJ8XytTl4jqNzmCPOIAOvQ10:kEhCyCOiqNxjRE0
                                                                                                                                                                                                                                        MD5:7C3B0175C350E6AEA7C5F4F331FB7457
                                                                                                                                                                                                                                        SHA1:46FE50380B66C64A98B08017DC0D8566D9B22847
                                                                                                                                                                                                                                        SHA-256:A83CDFC6ADDAC319E9CF2F950958DB790CA430F96D900B5205828EBE9B2829A8
                                                                                                                                                                                                                                        SHA-512:4B3972EB174AE834B39F34D51D19ACA9EACE14CACC54D0314DFBDE8B38C2A0514E81B5861BEE9CF8465313F6B98DB31B0C2D314B052CC8F5CDF58C7AF7E61AAC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..y..*..*..*.Vc*..*.Va*d.*.V`*..*...+2.*...+..*...+..*..r*..*...*..*..*F.**J.+..**J.+..**Jm*..*...*..**J.+..*Rich..*........PE..L...S..e...........!...%.V...................p............................... .......5....@.....................................(.......0A...............(...........}..p............................|..@............p...............................text...XU.......V.................. ..`.rdata..n....p... ...Z..............@..@.data................z..............@....rsrc...0A.......B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):649008
                                                                                                                                                                                                                                        Entropy (8bit):6.592395353162998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:EevXOcMAzEExDWdMoe3BlkCwkupdTyu7XAgBn4Dy:9ecPzEExCaoeRqFkcTZjAgBnAy
                                                                                                                                                                                                                                        MD5:F8F5641394A455FDCC4E493ECCC7F012
                                                                                                                                                                                                                                        SHA1:02D12D3E6569EB3A669602AB12540DD509F7474C
                                                                                                                                                                                                                                        SHA-256:4B5051DDDB178BA71D1BFFF29D93693FC8DD73B3117A23E06BF6A3815CD7BA35
                                                                                                                                                                                                                                        SHA-512:BEC16EF02A11BC84A8B412B4D3F3142DC5532C88F8712C43FCF2397B4D0B6530D7DC7EBB512413C1E260711C0B5DBC454B8FE6E61886ED536953F8315C9EA74B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nR.*3..*3..*3..#K1..3..#K'..2..#K ..3..#K7.'3..*3..3..#K..)3..4a0.+3..#K5.+3..Rich*3..........................PE..L.....U..........................................@..........................@............@................................. 1..d.......................0.......pY..`................................................................................text............................... ..`.rdata...-..........................@..@.data....`...@...$...(..............@....rsrc................L..............@..@.reloc.."y.......z...T..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4642304
                                                                                                                                                                                                                                        Entropy (8bit):6.426691986717537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:W27Bh5hx/f/OEGjZP+2IvLyUkkgauit1EfVqneLtMxYCvpwKqTXSWJls:X//ftkz4gauit1EfVqneLtMxYCvpwKq+
                                                                                                                                                                                                                                        MD5:5D6A9657FCA79D2EBEE063513C519183
                                                                                                                                                                                                                                        SHA1:968F25528CD4C674875ADFF3F6C4EE13C16386F4
                                                                                                                                                                                                                                        SHA-256:94B0C21E391E77F1D64D32D28DF0A46CE9B56A4AC6DB11D094B2259C75F5A7C6
                                                                                                                                                                                                                                        SHA-512:12F6D4D897136B115C6EE630DFC6A317CA8B47F2A080C93E2E1B30AF4B4673471B0DCE496DBA82CDA4DBFD26DC52EA65897EE24D3D0813CDBE0BA2DD6A13D0B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........5..f..f..f...g..f..Hf..f.._f..f...g..f...g(..f...g..f...g...f..f..f.=&f..f.=.g..f.=.g..f.=.gU..f.<.gI..f.<$f..f.Lf..f.<.g..fRich..f................PE..L...A>.g...............).8 ...&..............P ...@..........................0G.......G...@.................................$o'.X.....(...............F..(...`D.@.....%.p.....................%.......%.@............P ..............................text....6 ......8 ................. ..`.rdata..Df...P ..h...< .............@..@.data.........'..n....'.............@....rsrc.........(.......(.............@..@.reloc..@....`D.......C.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.pem

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PEM certificate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5262
                                                                                                                                                                                                                                        Entropy (8bit):6.05232077920498
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:LrdBs5tNThpCwTWYOHS2zkoGwhav1x6s7xPe47Oq1JmIyztq43ZEDRS4bcrkpk7:Hg5tNTDCdRoothav1xd7Be6Ositq43yY
                                                                                                                                                                                                                                        MD5:A8B2B3D6C831F120CE624CFF48156558
                                                                                                                                                                                                                                        SHA1:202DB3BD86F48C2A8779D079716B8CC5363EDECE
                                                                                                                                                                                                                                        SHA-256:33FE8889070B91C3C2E234DB8494FCC174ECC69CFFF3D0BC4F6A59B39C500484
                                                                                                                                                                                                                                        SHA-512:3B1FC8910B462EA2E3080418428795CA63075163E1E42A7136FA688AA2E130F5D3088AB27D18395C8C0A4D76BDC5ED95356255B8C29D49116E4743D269C97BF9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:-----BEGIN CERTIFICATE-----..MIIFVDCCAzygAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQswCQYDVQQGEwJVSzEf..MB0GA1UEAwwWU3BsYXNodG9wIEluYy4gU2VsZiBDQTAeFw0xNTA3MDYwMjQ2NTda..Fw0yNTA3MDMwMjQ2NTdaMC4xCzAJBgNVBAYTAlVLMR8wHQYDVQQDDBZTcGxhc2h0..b3AgSW5jLiBTZWxmIENBMIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA..wAXrbbT7bxfdfXv4WpeKYQwEj+O5IbELiqJUnjtSL8dhSLjunEnT08eNngGtUbKU..K9UYvokPo4w9dV7ZF2SIVNLLhGINgWfKGjFEOC2HMMxF6/Npjps8UdO3zozZtDET..4InDRAPDAQDuJX2le8sbmwcN6viuMPHQH/zM4VDg86txN/ueO+MHK4PR41dxNU6g..Mi1w4rntp1/alPtJi49CmxkonTzoWZsRz4QJAUJxEFmI4/2C9fKNEdiQUazHIXc1..55qeMTyaLna1ElRl1hpqvH4N7FChuXkG3ncEQRBZr41MCCX1l6PX1MGmbu6CRmEn..dzyu2fKQdnJ2nLzOzNRBuhEv/1Jm0Sij7b0QSberPSw0BqbVOZKY4b93ZRlqrkoD..K8LxS2/DtBvoeHxbF6UV6e4xHOpPDLlOLyfi27LYipTDN3Bt9yxUzcerLMu5KhZG..US8Alv80m+pnnsoSE6C4WN+/iDeRS2K8/BxY1TyFNAYRnC1sVaqwT/0AWHamKmXI..siGuKNMNSOB/pMx+qMFmvdYLMG/FHz6kBghyaqAaSOAcHzU6JJEOmy5PfyJ1VEVT..5ZeHGhwJ6FebFVAbpyTVRslokF6N2BXUuflN8N0Rp/8d5kr8ncHgd4boM16nl+T8..NMjiA0DkFktJHxnIKUEUH0nAIimvRt6+VTGIiXiPZbMCAQO

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2512896
                                                                                                                                                                                                                                        Entropy (8bit):6.4753020549085205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:zWGSIw1LYgvpw8oP/CEKywAzkyDee1sPjfKgxqRPZBc1kHWFHgN:q3pK2pw8GsywSkyDee1sPjfZxqRPZBcY
                                                                                                                                                                                                                                        MD5:115400EB02B4BFDF711DA98ED3C4B02A
                                                                                                                                                                                                                                        SHA1:E65EC763B49370A84C236A244243FDA769F0EAF4
                                                                                                                                                                                                                                        SHA-256:A8628AA084EAB6054F1AB1C9CAC62EB3C7A0688E56F3A41C0C15758274F5C1F4
                                                                                                                                                                                                                                        SHA-512:272E1D5900B9443817B95F1F9D503B603B704A4ED64265E4D6A8E9F49684E505A1AEEAEE503885339AC7B2AAA4904C25898D8212799050440F36D2A215AAAAA1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~..h-..h-..h-L.k,..h-L.l,..h-L.m,L.h-L.n,..h-L.i,..h-..i-..h-..k,..h-..l,..h-..m,..h-..a,..h-...-..h-...-..h-..j,..h-Rich..h-........PE..L...H>.g...............).............G............@...........................&.......&...@.....................................T.......`............0&..(....$......j..p....................k......0j..@............................................text............................... ..`.rdata..6........0..................@..@.data........0...\..................@....rsrc...`............v..............@..@.reloc........$.. ....$.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):984584
                                                                                                                                                                                                                                        Entropy (8bit):6.654713325570367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:gD2kCn6swdgSq3nUm08oS2R58vpo8Gp7EPVHHG0wIRCpDHFS:kvBgSq3nUD/R58vpofp4PVHHG07RgA
                                                                                                                                                                                                                                        MD5:8A17CA74AFC4FFF3A0AC2262DDD260A1
                                                                                                                                                                                                                                        SHA1:AC598B0297BF3CDF231D67A47BE942DA5173093B
                                                                                                                                                                                                                                        SHA-256:6EFCE3CC622589CE8A7B65C700692FB8EF9B97D50CDC828F0FC7E872C52CEBA9
                                                                                                                                                                                                                                        SHA-512:A8608961EF6936CD2EBAA6026B4074066A06F1CE90806C648B31E38E979F7BEB0F93A6E7BE33365A595D7DF6236E454241424DBC95EAC50867F2C78F89620BE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.....x...x...x.W.{...x.W.}.x..5|...x.W.|...x..3....x..3{...x..3|...x..3}.S.x.W.y...x...y..x.T2q.[.x.T2x...x.T2....x.......x.T2z...x.Rich..x.........PE..L....X.f...........!...).....&............... ...............................`......5.....@..........................6..T....6...........................(......T......p...................@.......@...@............ ..`............................text...h........................... ..`.rdata...)... ...*..................@..@.data....h...P.......0..............@....rsrc................L..............@..@.reloc..T............R..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552448
                                                                                                                                                                                                                                        Entropy (8bit):5.865289433993901
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UQoq4YYQtv77f8m8end5Xy+1kvI8k9W91iVXuXskIhllJX:Noq4ih8edk+1kv5K+WhllJX
                                                                                                                                                                                                                                        MD5:935C221078C93D03DFFA92C6DC4AE1E7
                                                                                                                                                                                                                                        SHA1:EC084512AA57B0E35E54043A54BD4124E2FEC9B3
                                                                                                                                                                                                                                        SHA-256:CC2994B317104D242EF0C4DB5CCB67674B6A7AE7880106EE904BB28F84983B2C
                                                                                                                                                                                                                                        SHA-512:CE85F7546C45AE8CB5A9274D68E98202FBBAE5BFCF219C37DC7397970D45913F34A8BDB5080F18391EA657B85E994002C3669944B56DD4201FF48DDA9A8F5752
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q.|TQ.|TQ.|T...U[.|T..yU..|TA8.UG.|TA8xUE.|TA8yUa.|T..xUG.|T..}UJ.|TQ.}T..|T.9uUZ.|T.9.TP.|TQ..TP.|T.9~UP.|TRichQ.|T........................PE..L...t>.g...............).F...........=.......`....@..................................=....@.....................................P........[...........F...(...`..........p...........................P...@............`...............................text....E.......F.................. ..`.rdata...}...`...~...J..............@..@.data...............................@....rsrc....[.......\..................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2790912
                                                                                                                                                                                                                                        Entropy (8bit):6.515198397435764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:Qm+e4qYkb8w/90PctbJYS2WstU02XIdons6Ac4CCFUqTy1kHWiCTo5IeuV:Qhe4qHt/900dJYS2htUVYdons6Ac4CCy
                                                                                                                                                                                                                                        MD5:A8E93783D19D36C3F4FFB1DBFAE8D172
                                                                                                                                                                                                                                        SHA1:55467CBA43ED628BA84B2581C4E75FA88AAC360B
                                                                                                                                                                                                                                        SHA-256:DB8C9ADB0CA45A4237588FE56EC1C21475BDF8695E5FC372AF38FDDC996A86F0
                                                                                                                                                                                                                                        SHA-512:F8161E64FFF874E2C9CC3578CC1AE9720823AE36DD892BBA45F92DEF99E80518581D44A58E13448360B4CBACB2D7CE65ECBE3D99B8227B2DEFBA3461EF356B6B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........RA%.3/v.3/v.3/v<A,w.3/v.K.v.3/v<A+w.3/v<A*w=3/v<A)w.3/v<A.w.3/v.3.vR0/v..,w.3/v..+w.3/v..*w.2/v..&w.3/v...v.3/v.3.v.3/v..-w.3/vRich.3/v................PE..L...b>.g...............).B...p......S........`....@...........................*.....?.*...@..................................# ...... !..W...........n*..(....(..c...H..p....................I...... H..@............`...............................text...jA.......B.................. ..`.rdata..X....`.......F..............@..@.data...|....p ..f...L .............@....rsrc....W... !..X.... .............@..@.reloc...c....(..d....(.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):171008
                                                                                                                                                                                                                                        Entropy (8bit):6.581229579230764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JwTKyDvUAHJyyOREv5n9s7jZuFKeV6O4u+9CI1B4hxV4pseK:UzmdRED6Zqj6puv2sP
                                                                                                                                                                                                                                        MD5:4DBE344527099F506D75079794DDB60E
                                                                                                                                                                                                                                        SHA1:310EC3DAFDD94A00BB21592F52B4B4329C3B13F2
                                                                                                                                                                                                                                        SHA-256:EEF291009D81DF627C18C11792FC19ED3ECEAC4533F05E1E493126AC7590DD5D
                                                                                                                                                                                                                                        SHA-512:29871C8FF4143EE4E047C68401B1CF3EA7B657FB00D7AF616B23F2C10FF486077EA3AD762AEC14F28ABCEC176B1FEFFC7F35979E5B1F87174D4438D88144F270
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z...Z...Z.....P.......J...L...J...N...J...j.....L.....M...Z...........P.....g.[...Z...[.......[...RichZ...........................PE..L...g>.g...............).............C............@.................................i.....@..................................Q..P....................t...(......l... ;..p....................;......`:..@............................................text............................... ..`.rdata..V...........................@..@.data...$....`.......H..............@....rsrc................V..............@..@.reloc..l............\..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):202752
                                                                                                                                                                                                                                        Entropy (8bit):6.625509070433462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:htEsN626n96kvoxj7gPPLyeEik8P0AP0OeJcMGdxVsxi0BgfQLQsx7dsddQ:htEsN7696tEvE3iZP0OI4QgfQE27dsI
                                                                                                                                                                                                                                        MD5:8C556148001796898D2B978DA836C27E
                                                                                                                                                                                                                                        SHA1:30310378F3ECC88C1B44846821FD6DCA4F4CBC9C
                                                                                                                                                                                                                                        SHA-256:B37622280DA30ED53B2B7F619F7CBDED9EA107E7D598689025D5C489CBCBB912
                                                                                                                                                                                                                                        SHA-512:B4AB380B98F2F71E9AA394448E934BD9566149EEA1D8DD4D3BC5EB87D5C9BE977B5F41D6F6EF823F21AD685649A6E4CA5AAC9561EEA99BBA45196565117DD87C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.To.To.T...Ue.T.O.Ux.T.O.U{.T.O.UX.T...Ux.T...U..T...Ut.To.TY.T$N.Ua.T$NdTn.To..Tn.T$N.Un.TRicho.T........................PE..L...l>.g...............)............n........ ....@..........................0......cN....@.............................................X................(..............p..............................@............ ...............................text............................... ..`.rdata...... ......................@..@.data...x...........................@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):333320
                                                                                                                                                                                                                                        Entropy (8bit):7.909775605022876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:2lc/Jz+v9TViX69NAqxVKhFcuUa/w28bgSl1FcXirkmMDt:wcU9oe61hFPqgSzrkmMDt
                                                                                                                                                                                                                                        MD5:562D29B934BFB893AF36F03CBA478AE3
                                                                                                                                                                                                                                        SHA1:5AA2D1A95EE82DADB2EE604E503CEAF3FBFDDD6F
                                                                                                                                                                                                                                        SHA-256:ADEDDB37D54E44F84BE0F3824A5C2E98EDF831D6E16836C4CDF34FC47DA4BBF3
                                                                                                                                                                                                                                        SHA-512:0E85A3BC34D44815442DAAECF910AE02216B28891D785C2C85072FB2824E0AC4056A658C76522C4659F5275F975F291C8BC9217856F52EF1DB6778069FCF8A20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......5...q...q...q.....c...........f...V...c...q...K...t..`......{.....p...wR..p...wR..c...wR..i...wR..$.....f...q...d....R..E....R..p....R..p...q.u.p....R..p...Richq...........................PE..L....d.f...........!...&..................................................................@.............................T.......@........................(.. ...............................................................\1......................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):337416
                                                                                                                                                                                                                                        Entropy (8bit):7.910033827099534
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jlsrxoLbx49G3x2MB7oUR71gg/wl12GSHU2eQHx+0lnPmDfYfG:B0dwUQNTW12GoU2eQR+SPmbkG
                                                                                                                                                                                                                                        MD5:7A90EC5109E67E431CAF2FD55D41F82F
                                                                                                                                                                                                                                        SHA1:412F6A3E795502CD39F76FD51B138E06A081F146
                                                                                                                                                                                                                                        SHA-256:2FA77B33CCCE1B5412A9866ACB63B050F6F94485EF8AEC378BC82D02929A1001
                                                                                                                                                                                                                                        SHA-512:ACDBE23B0FA784EA5433A223AEA32CF1C86436F7C9F4E715A10B6A891B4D6B8CEAA943C26444B5813AFDB6C9C4DE6F43B81A632D74920373C0D802613DFD2ED0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........e.g...4...4...4.v.5...4.v.5m..4.v.5...4..4...4...4...4...4...4OZ.5...4.v.5...4..4...4..5...4..5...4..5...4.v.5...4...4...4...5...4...5...4..,4...4..D4...4...5...4Rich...4........PE..L....d.f...........!...&......... ..`....0... ...............................0.......7....@..........................(..X....&..@.... ...................(..$)..............................\.......|........................e......................UPX0..... ..............................UPX1.........0......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2584064
                                                                                                                                                                                                                                        Entropy (8bit):6.440913243183987
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:5PbCa9g5NKdDraFl0PGOfWHGyi2wmUKdbhPiqlI13PXuYpJnuUs9tOs:Ya90N/F6uOfWdi7KdbhPiqlI13PXu+JG
                                                                                                                                                                                                                                        MD5:EE90B98C4D5EB0D6BED3E7D17986CA3F
                                                                                                                                                                                                                                        SHA1:194CD829FAE134D99CE4D0A0ECF2A054FB1EDDF1
                                                                                                                                                                                                                                        SHA-256:3B8EE94B34CC2BB18CD5A92DC0E52CC3C807D46BC7F5B556BFE7C903351BB483
                                                                                                                                                                                                                                        SHA-512:31AE2A14FCDC4817A850331162FCE08E7200B8D78745F62C6875B51B521AD95834693DC95C8D81C5748BF91A5216C152D1143F62C04AA745F2FDF15594E05B5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>F.._(._(._(.O-+._(.O-,._(.O--.F_(.O-.._(.O-)._(._).+\(..+._(..,._(..-..^(...!._(....._(._.._(...*._(.Rich._(.........................PE..L...e?.g...............)..........................@...........................'......'(...@..................................Z!......p"..............F'..(...p%..V...x..p....................y......0x..@...............4............................text...L........................... ..`.rdata..............................@..@.data.........!..j....!.............@....rsrc........p".......!.............@..@.reloc...V...p%..X....$.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):301568
                                                                                                                                                                                                                                        Entropy (8bit):6.684210285014497
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:bUU7mTVMCnY51BqHdwfxlu/FHouZykwgyDbsGUH:gU7mTVMCnY5ffuZykwgcgGUH
                                                                                                                                                                                                                                        MD5:3205FE6E61A40EF3C0B3C141754A3855
                                                                                                                                                                                                                                        SHA1:E9C7487763E943612613B318290832C288BA8D2C
                                                                                                                                                                                                                                        SHA-256:618B0F0ABD74B29C153814B55D3B4305927143A5E93688210427AC463824D438
                                                                                                                                                                                                                                        SHA-512:CCEDE3BEE9E1A9BC91226FCAAE6C81F35F6D13BF13B3704C04F123F3F397EAFE0BB09E34CA68729919DE74BCCE5BC3C0DC12A5960B2F0CB227CA6DD9A878C720
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..=y..ny..ny..n...os..n...o...n...om..nio.ok..nio.oi..nio.of..ny..np..n...oz..ny..n(..n2n.ox..n2n.ox..n2n.nx..ny.vnx..n2n.ox..nRichy..n........PE..L...m>.g...........!...)............h...............................................<G....@..........................J..$....L..<.......x............r...(......$"...8..p............................8..@...............h............................text...D........................... ..`.rdata..h...........................@..@.data.... ...`.......<..............@....rsrc...x............H..............@..@.reloc..$".......$...N..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):115208
                                                                                                                                                                                                                                        Entropy (8bit):7.877996118531337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Ojw9KC9FNiaL9tfuTjyUDJ90sFAmUPDo0hbn+F2LyvwFOs/cYb:b9KC9FNbwl9+D7o+XmIFOh4
                                                                                                                                                                                                                                        MD5:6B82A354476FA7C56175EE060F08E2C9
                                                                                                                                                                                                                                        SHA1:D77566D72C6F1C796C2E8087A9BD04920455B138
                                                                                                                                                                                                                                        SHA-256:754C8D6C7C91B7620A7EE34665C28F0BE67686591E5B49A7E9B8C33BAEF6C37E
                                                                                                                                                                                                                                        SHA-512:E5241DCF50B4D6003FCF1FE14F8693CDE525CDF020E7CF7557B76AC954102722C7721BDE48DAE08A4524A12E611AF950588ADBEEBC95158901BCA6238CE2FA51
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5S..5S..5SDn.S..5SDn.S..5SDn.S..5S..0R..5S..1R..5S..6R..5S..5S..5S...S..5S..4S..5SY.<R..5SY.5R..5SY..S..5S..S..5SY.7R..5SRich..5S................PE..L...w..e...........!................P*.......0...............................@......:g....@.........................<6..(....5.......0...................(..d7.......................................,..............................................UPX0....................................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):733704
                                                                                                                                                                                                                                        Entropy (8bit):7.921389042280339
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:SEjmVTsQGgZp4zjWURE9b9Sh73+axBJIsPqTVzVpW6jg6sQNGh+rIY2eV0Vt3Cz8:SEjmpsdgZwjWUREN9o91kV5pWmNGhM/q
                                                                                                                                                                                                                                        MD5:C0B530DCB39BFFA1B2A64DCB9DCE67CC
                                                                                                                                                                                                                                        SHA1:FC80610E9876B750B5C71CDBA679610320C3DF49
                                                                                                                                                                                                                                        SHA-256:A4103499C3584F3D2274E8D81B1355312D7CCF2CA794C746915ADA79C12F0D7D
                                                                                                                                                                                                                                        SHA-512:1326AD4B4EE3920E21449A0367E5912605AEAAF5C692A9042FEEBD2E4B789408DE605A7154D2DCD8A038358A98457312403C7AD550B3CDA64ED9D3E81E23459C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........u...........A.&....A.$.V..A.%....k.......|.....|.....|..........Oa.....lD..........\}....\}....\}(......@....\}....Rich...................PE..L...w..e...........!..............(..3...(...3...............................3.....b.....@...........................3.d.....3.x.....3..................(..x.3.......................................3.............................................UPX0......(.............................UPX1..........(.....................@....rsrc.........3.....................@......................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3835
                                                                                                                                                                                                                                        Entropy (8bit):4.764498295481361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:y7IqsbCST8eInWhT2YB9tds0xNqu72V3VcaM/g7QSEvqcAzOt6zS:y7IuxeeS9VjiMl6e
                                                                                                                                                                                                                                        MD5:D949C968DFD291B7D69CD9A65A1CBC8A
                                                                                                                                                                                                                                        SHA1:9FD25344A4E35BE5F6FCC3CBD346D9230820016F
                                                                                                                                                                                                                                        SHA-256:D166064C6FFADBD505076B633E10D5536739C3E68E4B48F6A396FD8299666E56
                                                                                                                                                                                                                                        SHA-512:68C26A66AEE424CFEAF9A5BADFA2592DA91C5B1BE65B69C60879255936413215BDA05D5633F69C7AAD2688A53A586BB54E3AC722E2DCE3BFAC034C4C1C4594B4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.svchost.exe..csrss.exe..SearchFilterHost.exe..SearchProtocolHost.exe..conhost.exe..winlogon.exe..SRServer.exe..SRService.exe..lsass.exe..services.exe..smss.exe..wininit.exe..lsm.exe..SSUService.exe..spoolsv.exe..SRFeature.exe..SearchIndexer.exe..WmiPrvSE.exe..mDNSResponder.exe..AppleMobileDeviceService.exe..nvvsvc.exe..DataProxy.exe..iPodService.exe..audiodg.exe..cmd.exe..spupnp.exe..WLIDSVC.EXE..WLIDSVCM.EXE..dllhost.exe..taskeng.exe..armsvc.exe..rundll32.exe..atieclxx.exe..atiesrxx.exe..ctfmon.exe..SeaPort.exe..nvxdsync.exe..MsMpEng.exe..nvSCPAPISvr.exe..wlanext.exe..LMS.exe..ccsvchst.exe..UNS.exe..mscorsvw.exe..msiexec.exe..iTunesHelper.exe..LSSrvc.exe..btwdins.exe..LogonUI.exe..TrustedInstaller.exe..avgwdsvc.exe..jusched.exe..unsecapp.exe..IAStorDataMgrSvc.exe..PnkBstrA.exe..AVGIDSAgent.exe..GoogleUpdate.exe..AvastSvc.exe..RTHDCPL.exe..sqlwriter.exe..IAANTmon.exe..avgcsrva.exe..mdm.exe..igfxsrvc.exe..Ati2evxx.exe..ZhuDongFangYu.exe..VSSVC.exe..wisptis.exe..hpqWmiEx.exe..avgcsrvx

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):326664
                                                                                                                                                                                                                                        Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                        MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                        SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                        SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                        SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):263688
                                                                                                                                                                                                                                        Entropy (8bit):6.578168733069161
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rP7UBxcJ1Puvfk+GTVGUtO9EU5dem+b0sInsLwcQRelNXkd6X0ThhYibRYI:DhmE+YQY4/eHw5ew8N0A2Xbh
                                                                                                                                                                                                                                        MD5:F276DD195D935138FA1EDA9C522CD62C
                                                                                                                                                                                                                                        SHA1:67508C991FAE8F6A503B7997D96CE4BB7AF559CA
                                                                                                                                                                                                                                        SHA-256:3E4FF68E9E2E312A9DDCD249F9BC2782103452E64CF6DF2914EF989006DD6EFA
                                                                                                                                                                                                                                        SHA-512:F3E2C301A7091D04F0D17BCDDC2BB0057366FE7089564966FE2EFD56ABD381190B01672DB6E6C7330E553382D38D7FEFDB644F1DF9F28B85714F52F695D812AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.._(..(..(..../.)..!.,.2..!.:....!.*.3..(..!..!.=.t..!.+.)..!.-.)..(...)..!.(.)..Rich(..................PE..L...%..e...........!................+........................................@............@.............................w....~...........................(......X$...................................O..@............................................text............................... ..`.rdata..W~..........................@..@.data....K...........z..............@....rsrc...............................@..@.reloc...@.......B..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_provider.man

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4448
                                                                                                                                                                                                                                        Entropy (8bit):3.463053305093135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:NZ9Y9R9iY+Al8/ky6V9R9iYsrAl8/k5v+sv:0bMAl8j6vbirAl8mv+y
                                                                                                                                                                                                                                        MD5:20D8473FB148C4ADA5878B313BC776AF
                                                                                                                                                                                                                                        SHA1:1C88D93AED07AF5753D5CADE1BBA2EC1A69C81A8
                                                                                                                                                                                                                                        SHA-256:FAFFFA0C014BF46A71E323FC4275A5A9004FF90B474B1B7A30D5728FA81D3568
                                                                                                                                                                                                                                        SHA-512:5E6AD6B5F040C927685FB4BF4A83149DCDDB22F8A1BD5ECFF5B6E69ECAB80FA7DDAACFA4FA7EB35D9723F4CF364B96D61482FA805F5B6595AEDF064C3C099C2B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t..... . . . .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>......... . . . . . .<.p.r.o.v.i.d.e.r..... . . . . . . . . . .s.y.m.b.o.l.=.".P.r.o.v.i.d.e.r._.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s."..... . . . . . . . . . .n.a.m.e.=.".S.p.l.a.s.h.t.o.p.-.S.p.l.a.s.h.t.o.p. .S.t.r.e.a.m.e.r.-.S.t.a.t.u.s."..... . . . . . . . . . .m.e.s.s.a.g.e.=.".$.(.s.t.r.i.n.g...P.r.o.v.i.d.e.r...S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s.)."..... . . . . . . . . . .g.u.i.d.=.".{.6.6.

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28160
                                                                                                                                                                                                                                        Entropy (8bit):3.7217591844595956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:/xr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:/24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                                                                                                                                                        MD5:29F288F751FBCEA5CD75EA9774882787
                                                                                                                                                                                                                                        SHA1:5A4C30382C63E29E848B681D39CC213C2198E12E
                                                                                                                                                                                                                                        SHA-256:711702EB24803788CE601996F90B7EF57EEF1F764F7AAF3A96E2196ED4A9533E
                                                                                                                                                                                                                                        SHA-512:B7FC0A739B33E79232EF506393CF90297F4D41F165F34B5BE50648D8A1967419E1F0EE369E809D5C142898824E8B5A3784106D33A2D1D72CD811D5352F4BBD60
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.PE..d....._.........." .........l............................................................`.......................................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28160
                                                                                                                                                                                                                                        Entropy (8bit):3.7214568392805565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:xXxr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:xX24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                                                                                                                                                        MD5:BE32CA6CD3810D278DC07C2D67FA5A44
                                                                                                                                                                                                                                        SHA1:63C47D24563F3E19BADE1482BA91D57542736C6C
                                                                                                                                                                                                                                        SHA-256:2F28F5D4952FD4430568AFCCE023C4885B47BF7C705950B252555C7D92EEFB72
                                                                                                                                                                                                                                        SHA-512:C21FF9E2116F0C469642C47B85E6D36970344F6C929B018DB6BED88FEFB54AA9C82EDDA1F9123F1B493E9046DE2B46C44C62900967752110EA056B54CEB56E85
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.................PE..L....._...........!.........l............................................................@.......................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1458184
                                                                                                                                                                                                                                        Entropy (8bit):6.608368260050606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:3u1d1TlM6S5+KpPH2+68gJ4dxM3GsFa8cihBUbo0h3yT26:3ub1T2B/+J4jMWsFa8cJbo0h3x6
                                                                                                                                                                                                                                        MD5:86FB762B6F48E0F579D8E1C20D829E5C
                                                                                                                                                                                                                                        SHA1:35643C93BAF6F1A0DC2607C2F65D339DD149FE71
                                                                                                                                                                                                                                        SHA-256:1837087E75DE428C18ACEC7F2EF7576752396A3A1EF15450230734E9EE194B28
                                                                                                                                                                                                                                        SHA-512:A0A53F0C256DD1ED0FA512E11A4AB936BD829B22E37C422194144CF022192B2C7157A4220BAD2ABF45CA6FF44FA3E954BE57147E57CB869D1E53399F5895FB13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..N...N...N...N...N.....N......N......N....~.N......N...O...N....9.N......N......N......N.Rich..N.................PE..L......e............................Ku.......0....@.................................(.....@..............................................................(...........5..............................pb..@............0..............................text............................... ..`.rdata..@....0......................@..@.data... ........j..................@....rsrc................&..............@..@.reloc..F,..........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1721576
                                                                                                                                                                                                                                        Entropy (8bit):7.978334410477683
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
                                                                                                                                                                                                                                        MD5:4DA5DA193E0E4F86F6F8FD43EF25329A
                                                                                                                                                                                                                                        SHA1:68A44D37FF535A2C454F2440E1429833A1C6D810
                                                                                                                                                                                                                                        SHA-256:18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
                                                                                                                                                                                                                                        SHA-512:B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m*%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15072
                                                                                                                                                                                                                                        Entropy (8bit):5.857603927715577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yJaZmN9l0HNbsphoCqpQATeZjMcnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrie:kaZM0HlGOpQMejxnYPL/p1P6jeL3b
                                                                                                                                                                                                                                        MD5:3CDAE3B3A3AE968DB4756613EEFF3680
                                                                                                                                                                                                                                        SHA1:FF474C2D8A83BD5AF0A6B6CA954004D86BCF6FCA
                                                                                                                                                                                                                                        SHA-256:8DC9051BC452639550EC4F956F1DBBAC2D2A1886868C17743A3E4BE22297E166
                                                                                                                                                                                                                                        SHA-512:50E01496A3F891AC4BB455092427A4549406EAED44A292D415B8B42DF5FF72D1352EA6FCC66B2A11151AB9AE6590158753CC28E78F2DAC7FEBD5F6B8B4908126
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'N.OF .OF .OF .OF!.JF .F>..JF .F>..LF .F>..KF .F>..NF .F>..NF .F>..NF .RichOF .........................PE..d.....#Q.........."..................a......................................................................................................<a..<....p..x....@..l...................@ ............................................... ..8............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata..l....@......................@..HPAGE.........P...................... ..`INIT....*....`...................... ....rsrc...x....p......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21216
                                                                                                                                                                                                                                        Entropy (8bit):6.105547248727277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Zfhpq1BKeL/JQyyo0Y0HgWjkRtPzjn4nYPL/p1P6jeL3fq4:hhpq1BK8/JMYChMxXn4umiP
                                                                                                                                                                                                                                        MD5:A10A6FC3F643F82777345ADDC182799A
                                                                                                                                                                                                                                        SHA1:015BDFF614CD475C119C9CDC25950E8226930584
                                                                                                                                                                                                                                        SHA-256:8D09A7643A0095A0077710423E7D8D7134F9197B6F73DA427333790BA3774A61
                                                                                                                                                                                                                                        SHA-512:5D2D6FDCCB9A99F95467E734AC83C77162D5D4509248A4BFDCE493BDD9D140220416095E0F75DDAB50071850FC0892CED2835336D1C42F4A3AC87F0D66C41ED8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'F.SF(.SF(.SF(.Z>..PF(.SF).AF(.Z>..VF(.Z>..PF(.Z>..PF(.Z>..RF(.Z>..RF(.Z>..RF(.RichSF(.........PE..d.....#Q.........."..........&..............................................................................................................`...<.......@....`.. ....6...............0...............................................0...............................text............................... ..h.rdata..L....0......................@..H.data........@......................@....pdata.. ....`.......$..............@..HPAGE....x....p.......&.............. ..`INIT.................*.............. ....rsrc...@...........................@..B.reloc..<............4..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1461992
                                                                                                                                                                                                                                        Entropy (8bit):7.976326629681077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GjG90oN2lj11mk/22yYzGrarZRm4X5Uh6rVh5LdfBwOyCSQM1fFhSWRA2+:iGtN2h1120R7m4XShYVxfBwrC21fXSz
                                                                                                                                                                                                                                        MD5:A9970042BE512C7981B36E689C5F3F9F
                                                                                                                                                                                                                                        SHA1:B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E
                                                                                                                                                                                                                                        SHA-256:7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
                                                                                                                                                                                                                                        SHA-512:8377049F0AAEF7FFCB86D40E22CE8AA16E24CAD78DA1FB9B24EDFBC7561E3D4FD220D19414FA06964692C54E5CBC47EC87B1F3E2E63440C6986CB985A65CE27D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B...B...B...Kd1.E...B.......Kd7.Q...Kd .M...Kd6.C...Kd'.....e...C...Kd0.C...Kd5.C...RichB...........PE..L.....[J...........!.........N......C................................................S....@..........................................P...<...........6..................................................@............................................text............................... ..`.data....G..........................@....rsrc....<...P...>..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13024
                                                                                                                                                                                                                                        Entropy (8bit):5.821753253165571
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hjJQAzeZjMpnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrMYPT:RJQUejknYPL/p1P6jeL32Y7
                                                                                                                                                                                                                                        MD5:C57099F9A63D144A9CDC103D2C42A6AC
                                                                                                                                                                                                                                        SHA1:F2AA1DBAC145BDA82DEDB69CA969EF4D0831C3DD
                                                                                                                                                                                                                                        SHA-256:D8390287A8865769BB50B0B83E7E7FC56B055BFC48D3513146CDB8D3954338BE
                                                                                                                                                                                                                                        SHA-512:18AB1AB0D233AEAAB786A28AEF766AAD9C683859628AEE94527C426DE7F63171345CAB4ECF96C54F19C93DF5E637A4D845C2487049DE161E19229F6253C775E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................................................Rich............................PE..L.....#Q.............................P....... ......................................r........................................P..<....`..x....................p..8... ............................................... .. ............................text............................... ..h.rdata....... ......................@..H.data........0......................@...PAGE....#....@...................... ..`INIT.........P...................... ....rsrc...x....`......................@..B.reloc..j....p......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):224
                                                                                                                                                                                                                                        Entropy (8bit):4.711399671949434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGIIbdELVKT7:kidCicjdCiMt/jdx7
                                                                                                                                                                                                                                        MD5:001B12FA9D827E2A53675F4FFC5D68D8
                                                                                                                                                                                                                                        SHA1:0D1221A35F3FEF1B8B0B38E835BFB8F35357D3AB
                                                                                                                                                                                                                                        SHA-256:2C6E538B58C32DFFC7E3ED85175A2F5D08C5AA3FA68EE05207DB6A015D778DD1
                                                                                                                                                                                                                                        SHA-512:E85BAD69B1F36D36B96A03713B885FDDC485E7DA5A5FA4B07F5AFD7264BC9989F4AEA14822588F3921EFF4C6C5E7D2737CD382866A089DA8F4A19CAF69BC3FF3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log..utils\devcon.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):232
                                                                                                                                                                                                                                        Entropy (8bit):4.799817305367961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcGIIbdRL6VKT7:kiddcjddMr/jdD7
                                                                                                                                                                                                                                        MD5:4D969376976863ABA27CCF817EB97219
                                                                                                                                                                                                                                        SHA1:F65EA3234AFC4741F48AF51EE83280520969BF5A
                                                                                                                                                                                                                                        SHA-256:C62D9158C0807D0EE3225E13BAD307199AF61DF1659ADCA91E1361865C325EEE
                                                                                                                                                                                                                                        SHA-512:88F38ED5AD7FECDE209782D1111C142BE63AE54D73A71E737BEBC0FB1498D7988AC9EC0173DEF5F6E0A17192A5F802145E69BFDA606B253AFBFE23B5058A7413
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..utils\devcon64.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11968
                                                                                                                                                                                                                                        Entropy (8bit):7.0656302139179195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5eMsGsZrVjbd/22z0yK2zFWQFyGZh4qnajA3vKkCTglckNVa:HsGsZr5pRpFRj0lo3CXkNk
                                                                                                                                                                                                                                        MD5:50BD9CFE7F724B3001FC833FF3FC284D
                                                                                                                                                                                                                                        SHA1:5A2D4C52C87170AFAE9F3F4DC75A81A046FF3EEB
                                                                                                                                                                                                                                        SHA-256:C7AE67C9A0669F2798ECA4452552F8F4919E2FB6D117ED290AC3F64966ECEEE0
                                                                                                                                                                                                                                        SHA-512:52CC8930BAC7CBE7AF9C2B64D8A3BCF874D76DDFA21691B3B47E4B5BE938BF42D1D0BF0B6BFA3EEEC61D81328B41FB608AC8DA5F278BF06C1AB294B0055FB3FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.....*.H..........0......1.0...`.H.e......0..X..+.....7.....I0..E0...+.....7......C....G.|J].q.z..130223030803Z0...+.....7.....0...0.....c.....I..x.....c...1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0.... . q&H.Hv4;.s....N....uB^...@_.%1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... . q&H.Hv4;.s....N....uB^...@_.%0.....o..5....,.SV..\....1~0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...i.n.f...0.... (..~......&vHk_..4U..:.Tu="|:H.1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... (..~......&

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4350
                                                                                                                                                                                                                                        Entropy (8bit):5.269640657392187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:BmLnkrr4fzkQCmlCDHCMmDtu6KgbNHYFMDO:BmLny0fzkklCmBtu4NHBDO
                                                                                                                                                                                                                                        MD5:6580EDB5B8713F3BFD3DF983758A4EA3
                                                                                                                                                                                                                                        SHA1:1E6FC7E435A3C3E20E2CFF5356DED95CF0C7D0EB
                                                                                                                                                                                                                                        SHA-256:815FBD6C3BFAE5EA77ED77480FAAC1AFAE946D4BF109B95480C60030A83AE1B1
                                                                                                                                                                                                                                        SHA-512:EA332A77DBDCC2184B2154EF496DAE4C663075447EC4ACF61E83A5AAACCF702E2F0E0F6D7F91E4499993A9B9D7C3A9A21C495EEAD606E2F5EB5F4DF272A86928
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature="$CHICAGO$"..Class=HIDClass..ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da}..Provider=%splashtop%..DriverVer=02/18/2013,1.0.0.5..CatalogFile=sthid.cat....[SourceDisksFiles]..sthid.sys = 99..hidkmdf.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..CopyFunctionDriver = 12 ....[Manufacturer]..%splashtop%=Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....; For XP and later..[Vendor.NTx86]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....; For Win7 and later so that we can use inbox HID-KMDF mapper..[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....;===============================================================..; sthid for XP thru Vista..;===========================================================

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18144
                                                                                                                                                                                                                                        Entropy (8bit):6.199619066707982
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D+CpJmsGTJgbzPvaen0XUqcZzpV1DzjBnYPL/p1P6jeL3CX:B85e4+zpbXBumPX
                                                                                                                                                                                                                                        MD5:5904635A7888083EBB86C3A1218CB59B
                                                                                                                                                                                                                                        SHA1:69540333726CEF1EABD5B75D56822B36F9065840
                                                                                                                                                                                                                                        SHA-256:00648146272AF74EF5B1E74E83F58280FA1CC403621941AB3CB4E731756289F7
                                                                                                                                                                                                                                        SHA-512:56B936EFBD05D0906577754334D9B1A562AE0AD25574E22149C6BD97950FD73809A4EF1542D4D7CAA4E5B81DF53975FDB1D57381232F9B8D17A463F1E1A81859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q...Q...Q...X...R...Q...D...X...V...X...S...X...P...X...P...RichQ...........PE..L.....#Q............................v........ ..............................................................................<P..P....`..@............*.......p..t...` ............................................... ..`............................text... ........................... ..h.rdata....... ......................@..H.data...`....0......................@...PAGE....t....@...................... ..`INIT.........P...................... ....rsrc...@....`....... ..............@..B.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):164
                                                                                                                                                                                                                                        Entropy (8bit):4.75247427731045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jTDVBF+jVy/d/KiIKTAFshseJDo7EIbd/KiIKTA8vXto7EIl2YR41NDoC:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGC
                                                                                                                                                                                                                                        MD5:6E5A084690CBEDCB4F74C1C365F2048E
                                                                                                                                                                                                                                        SHA1:379AF77A9066EE1EFEA1C17A21CF1C0AD7BF17FD
                                                                                                                                                                                                                                        SHA-256:F67BFB651037E84F5AE6965B5511FA1B9BD2C819B034A8284462AF01C0E0148F
                                                                                                                                                                                                                                        SHA-512:1ED233EF2BB513DCB9F3610AC36BBEB07259EAC7BA6F96E596B111C137F6B1BB35E1200ECAB3914925C6CCB80CD3A74ACEB40FA3775300151D34C7AB9C47A84F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver64.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):172
                                                                                                                                                                                                                                        Entropy (8bit):4.845091480099467
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jTDVBF+jVy/dRLX/IKTAFshseJDo7EIbdRLX/IKTA8vXto7EIl3xR41NDo7n:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcG7
                                                                                                                                                                                                                                        MD5:C949FE57CE36D8C5FF18AD66A5C83138
                                                                                                                                                                                                                                        SHA1:BE891CE4AF8434FB3A439F7F0CB9EC3E17BDB99A
                                                                                                                                                                                                                                        SHA-256:8A5E292037FFC57F78E8C8D8AE945C319A41FABEB2112099BA3FFD9D08D4C1AA
                                                                                                                                                                                                                                        SHA-512:5F22FB7C586852EF5EDB8A28250B4BAA2194FE7599E1EF0733554E512ADCC7326D625F67CACD21C06A3B9A8B43AAF7B8E23D1C529FCC1B36D3E983AF5384FC4B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                        MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                        SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                        SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                        SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                        MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                        SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                        SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                        SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidNotSupport.reg

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):288
                                                                                                                                                                                                                                        Entropy (8bit):3.654691319611147
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12qv:Qy5hVZteAxDZBuGp/hUp
                                                                                                                                                                                                                                        MD5:AFB11B8A638A36856B635F9805BEC627
                                                                                                                                                                                                                                        SHA1:29E88479691D922698D1DAEC3F06EFD438CB90F1
                                                                                                                                                                                                                                        SHA-256:908EF8C0EEE73EFFAE7CA6AAEF29387302B1D69AEBE5EA587DEE7F1589F418D6
                                                                                                                                                                                                                                        SHA-512:1C929F635DF273BF7843A433C461761374E3CE8B2A41C479E2AA9B6A27F4CEF5CE78BAE8902EE99673E33E9E165333A1A4C09D8503F259809F282E6B4A15EBA9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):288
                                                                                                                                                                                                                                        Entropy (8bit):3.6709758888329973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12q8:Qy5hVZteAxDZBuGp/hU2
                                                                                                                                                                                                                                        MD5:4F4EC6847BC91FCFAC8BFE7840649CCE
                                                                                                                                                                                                                                        SHA1:642FB6860473391D28E1DC407A81B3829D048AFC
                                                                                                                                                                                                                                        SHA-256:CC4837A65AE43EDF3AA3FD2C77912A881694C43EE203A127CE27641455AC7AD3
                                                                                                                                                                                                                                        SHA-512:C896A60395237BED708C79CDBFF2FE9685E8B42A140EF96C2352559128B7700DFF8CA7267261A9EB5143583F296D0498C811E092516408B5500CC75DA8409C44
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):77824
                                                                                                                                                                                                                                        Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                        MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                        SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                        SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                        SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81920
                                                                                                                                                                                                                                        Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                        MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                        SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                        SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                        SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):207872
                                                                                                                                                                                                                                        Entropy (8bit):6.37796848857206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7GvbxQUBBNCDNRKmW5yI0q4WpEpdXbTtSpA4bNzNm0piB:UzCDNMCq4qp7bNzNm0pE
                                                                                                                                                                                                                                        MD5:0FCEB59B7E6FF46D27B896748593B5F4
                                                                                                                                                                                                                                        SHA1:5F92608A664FB069B781F3C51AC10C5ECCC89817
                                                                                                                                                                                                                                        SHA-256:F95D664CFB6A96172C733957A7164F7C89D29A09557154DA6745510B364CA5D8
                                                                                                                                                                                                                                        SHA-512:EBF7D13B0BCC97ECFA92299894165E7CF435D89EE90F553DA0B4B1DA5F764C6339102BB92DF63AE1EB23903F8D147AAB919F536B0873DF9E7C7D6BE482AAC7F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................~......~.......?................../....}.....}.....}.....~......~.............|......|C.....+.....|.....Rich............PE..L...p>.g...............).....t....................@..........................@............@..........................................P..p................(... ..|.......p...............................@............................................text...Z........................... ..`.rdata...{.......|..................@..@.data...H....0......................@....rsrc...p....P.......&..............@..@.reloc..|.... ......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):198608
                                                                                                                                                                                                                                        Entropy (8bit):6.465406905232138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mNvlfI7fn3+ksrtRYs5BZdHEsTznNZQtiF22W9bKReKn:+fMnuhrrYszTjTQtiF22WKl
                                                                                                                                                                                                                                        MD5:B51CB7BD99774F42D4FCD81522E159DA
                                                                                                                                                                                                                                        SHA1:815646C93E09F0DB23951F3D8CD7319240CDBD43
                                                                                                                                                                                                                                        SHA-256:55C8BEEBC29238A691AF1FDF44D922BDAC9B47034956311A9D467374049462C2
                                                                                                                                                                                                                                        SHA-512:3375489BC03A442775FB02C5AB1D264FF2A972A805179B9F860D1FF26F09E529DCF7D03EA18CF3D56FC1DD429423C344CBFC4B89F20158D84896AA257240796A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.............+......(......-......).......`...p_....>......?.5....?.,....?./....?.*....Rich...........PE..L......R...........!......... ......!........................................0......m8....@.........................pa..o9..8R..P................................"......8...............................@...............h............................text...F........................... ..`.rdata.............................@..@.data....8.......4..................@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):561584
                                                                                                                                                                                                                                        Entropy (8bit):6.5335413043485335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:n+Uac7b2syTCmCZ9z7I6KxOYDkHlTiO+k86hiCivi:+UacGbC7bYgHlTi6eo
                                                                                                                                                                                                                                        MD5:A9A9D31764B50858A01B1FB228406F06
                                                                                                                                                                                                                                        SHA1:7A313C46F049287045992F54F9D6EDA9DB568EF8
                                                                                                                                                                                                                                        SHA-256:C0BABD7670124BB298D3BA6A8EE5AE33AD1030C08A18D8B8861F5D83003EB645
                                                                                                                                                                                                                                        SHA-512:164D5497AA91A5B4742A291F589400BC0B189AF946615A2F04E6CFD1ED598A542F7521E4DD79AAB99414846A3C391255309F911C247EF446A0483D9FAB6EFDFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................h......._(`........................................V....V......V......Rich....................PE..L...9..X.........."!.....X...h......-T.......p......................................}/....@.............................`6...D..P....................z..................................................@............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...TT...P.......<..............@....gfids...............H..............@..@.reloc...........0...J..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11479560
                                                                                                                                                                                                                                        Entropy (8bit):6.352121129517374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:QFLqnywIMoJDvZ4drfgYOfyg74bvnFCw4UnH:QFLqywhoJDadbk6HFUUH
                                                                                                                                                                                                                                        MD5:2EA6D3B8DEF550387EF986976A2C7302
                                                                                                                                                                                                                                        SHA1:7A0471A88819941FAA90C017593DE695FFE2CEB1
                                                                                                                                                                                                                                        SHA-256:D024B79B5B6DF6AC65A10A3E3D88266D4FBA17F5E1CDB9F9A4C0E276499741B9
                                                                                                                                                                                                                                        SHA-512:545BD9203B3A1D762C29755DA4021565C85DFF12A49992BE98A17BB9A6C342CAD955A5CF1C4D572B654BE70CDC40F12B0C6BEE221ED23CB31EE311670EEE12E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.f.................4...........R... ...`....@.. .......................`...........`..................................Q..L....`..w................(...@......0R..............................................(R............... ..H............text....2... ...4.................. ..`.rsrc...w....`.......6..............@..@.reloc.......@......................@..B................H.........[.*lQ..........(..c3.\.(......................................0<.I.......s.u.....}.'....}.'..s.u...(....~u.....(....:.....(....&.......%.......(@....(a...(....(.....(....}.'..(.....r...p(:...~.'..%:....&~.'.....u..s....%..'..oT.....o...+}.'...o...+...s....}.'...{.'..o....9#....(....:.....{.'...o.....{.'...o......{.'....{.'......u..s....(.....{.'..o....95....{.'..o....9%....{.'..o....:.....{.'..oB...:....(.....{.'..o|...o....9$...r...p.y..........%.......(@....(a....{.'..oH

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1077592
                                                                                                                                                                                                                                        Entropy (8bit):6.435239338734592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:n7PeeMxAg8KA6EhyC/H488sCGF8MBo9Bi8sROlu4VWKl6sEPdf8/2RYv:cxNEhyC/H488sLqMDIlu4Nl6suK2Re
                                                                                                                                                                                                                                        MD5:EEDA10135EDE6EDB5C85DF3BD878E557
                                                                                                                                                                                                                                        SHA1:8A1059DFD641269945E7A2710B684881BB63E8D2
                                                                                                                                                                                                                                        SHA-256:4B890DE3708716D81C1C719B498734339D417E8FFC4955D81483D1EBC0F84697
                                                                                                                                                                                                                                        SHA-512:A56BFC73537E36EFBA8E09FFD0B2F6BFC56BC4CB4FE90B52858C7AFD5D67DB23CCBA51C8097BEFE4ECB5082BA66C2B2612E2975EF3448252C48B97F41D12D591
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^1...P...P...P..!z=..P..!z<..P.......P...P...P.......P.......P......!P......qP..=...<P.......P.......P..Rich.P..........................PE..L...8d#I...........!.....>..........a........P...........................................@..........................6..c....)..<.... ...............V..X....0..........................................@....................)..`....................text...s<.......>.................. ..`.data...d....P...H...B..............@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.cnf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):638
                                                                                                                                                                                                                                        Entropy (8bit):5.242618018191851
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:oOtKAD4cL4jVpfWBzX2TShiucyjmwB//Rmq5FjZijTofkVge1O0lgxErqM6n:ocKVg30ucBwB//Fjc7VgQ6erJ6
                                                                                                                                                                                                                                        MD5:D011ED12A4DC54F39CD759858187A2BB
                                                                                                                                                                                                                                        SHA1:EC4F5ADDF866E895804F165B11A3113BE2BBDF80
                                                                                                                                                                                                                                        SHA-256:149C66BB43535842B1C958BD374C63151A9004F167F84FF4C26D824140D94546
                                                                                                                                                                                                                                        SHA-512:D8C126A9D49CABE4F5A7426E8A28C307175705793A0BA00B389A6CF102E1C5B67EAAD86120D18E4255939BA25A16941509FF200645BEAA5ADDF806AAF78D632D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..fips = fips_sect..base = base_sect....[fips_sect]..activate = 1..install-version = 1..conditional-errors = 1..security-checks = 1..tls1-prf-ems-check = 0..drbg-no-trunc-md = 0..module-mac = E7:9A:3C:79:A6:26:9B:08:C8:49:E6:39:CF:53:1D:51:80:84:F9:03:51:1E:6F:F7:0D:54:99:06:7E:6F:7A:D9..install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11..install-status = INSTALL_SELF_TEST_KATS_RUN....[base_sect]..activate = 1....[algorithm_sect]..default_properties = fips=yes

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):697864
                                                                                                                                                                                                                                        Entropy (8bit):7.894512069336346
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Oek+rZ1rpE3R12+FB0eieQUAD3+yrjxZq0TjhECtMk7cRewV+KGQabw:Oe7PrpEvnFB0eie/EuyXxZq0T/tDcRhH
                                                                                                                                                                                                                                        MD5:6988F7203F05D378C5891246FD6BDB8A
                                                                                                                                                                                                                                        SHA1:61BF4CC18635D2367079F8D0EFD68D0ADE0649CC
                                                                                                                                                                                                                                        SHA-256:E492BDD2BEA606D5FF645B8E79F294B4811CA987FF9D7B53B49079D305F03AD4
                                                                                                                                                                                                                                        SHA-512:8DB30DF8B64B283D35BB78BF813D6FCE476E8EEDC77FBFB6780D58316AFF8A9C728A4BBE9D593E60913CC14696EDEBA25C0AFEE3338275E4EB62CEDB6235681E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..fo.i5o.i5o.i5$.j4d.i5$.l4.i5$.m4{.i5.3j4z.i5.3m4~.i5.3l4q.i5$.h4h.i5o.h52.i5o.i5b.i5'2m4..i5'2i4n.i5'2.5n.i5'2k4n.i5Richo.i5................PE..L......f...........!...)............0 .......0...............................@............@..........................4..P....3.......0...............~...(...4......................................."..............................................UPX0....................................UPX1.............t..................@....rsrc........0.......x..............@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.cnf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):168
                                                                                                                                                                                                                                        Entropy (8bit):4.40567624896974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ekfDaZOtK1FA1Jn4R7mvLvn4RYVXKCw/AFLr+TmNfOmZyJn:xiOtKADn4NmvDn42oCQG3+TJn
                                                                                                                                                                                                                                        MD5:A43B7D72B482D48804B377D8832C2693
                                                                                                                                                                                                                                        SHA1:B1598EFDA8E9863F520ABEF9AAA942C313C002FD
                                                                                                                                                                                                                                        SHA-256:9ACDE3809E2C02FE5D6C59153AEFFFE6628996EC5CFB7C2385865DCD1EC8BE7E
                                                                                                                                                                                                                                        SHA-512:F0777A8F79E70F8A12F531C3E77F5241E9ED46ACC6A1CBF06FF7A29D91EE281E4CD2A9C1832642992FE74D33B052670F85439E5925FDB7C44DE60014E53712DA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..legacy = legacy_sect....[legacy_sect]..activate = 1

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160776
                                                                                                                                                                                                                                        Entropy (8bit):7.899895349405453
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:H/sEMdTGyFIYyCYpJLCKbfBzucH7Qt3zgHIlWbKIxUNCWJzQAaDFD:UHUTCwRJbU3zOb7FWJQ1
                                                                                                                                                                                                                                        MD5:9E2B825AE78562717311B9D8B92D764F
                                                                                                                                                                                                                                        SHA1:B878616DF4D36F6694FB9F1826F7D08D01088AE5
                                                                                                                                                                                                                                        SHA-256:A874CA3EC78D406D5C45F9AEEC8A3ACB4E4C9E4677D383F09A2D85CE1B70987D
                                                                                                                                                                                                                                        SHA-512:B8C201ED6B856DB07B031A30E6D28C3A5A62DAF39A75265F8AC0DA58C3DAF8ED7609DF91C7A946118D390468A48C6A0AACA5BB7FF501770AF366CAC7F003C6C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ge[.............~.......~..n....~.......~..........................................s...........................................Rich............PE..L......f...........!...).P.......p..................................................:.....@.........................l...P............................L...(..........................................................................................UPX0.....p..............................UPX1.....P.......B..................@....rsrc................F..............@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106488
                                                                                                                                                                                                                                        Entropy (8bit):6.320283872849081
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:idvQnJ9Cy5G4XmkRCXZ5YPPAq4SjIZUKzFrRjbuPp94H:idvby0lZ5YPPAq4SjIZUKLjbuPTw
                                                                                                                                                                                                                                        MD5:8428C29E17CAE62C8379B330C45251C8
                                                                                                                                                                                                                                        SHA1:2EE8C04014D6424D98CBA58C3F67B4A0C045B360
                                                                                                                                                                                                                                        SHA-256:94AFE8C66336AB54770DFF910AF4F4B7B572F3C843E42B73C8948463614C1A50
                                                                                                                                                                                                                                        SHA-512:3621ABE3DD0BFBF1FEAA7F0B4D31056447406321DF66FD60F79A7077F54641DB19DB8FB11B900E182733C35B96EE0555F159F5DD912CE6C17D99B39D8E057052
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K.>..S......#.........:...............0.....m................................rD........ ......................P..o....`.......................w...(...p.......................................................................................text...............................`.P`.data........0......................@.`..bss....4....@........................0..edata..o....P.......*..............@.0@.idata.......`.......6..............@.0..reloc.......p.......:..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1336328
                                                                                                                                                                                                                                        Entropy (8bit):7.871375711510445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:B/fqcYYzqZYz970TN1T42xGWD9bujQdC5NNQIpL8575+HZ0tuC+:NHRzHuh1cQGWDRu08Q0L8J5+HZ0tuC+
                                                                                                                                                                                                                                        MD5:67998603B05979931B23D16655529E15
                                                                                                                                                                                                                                        SHA1:A7EE73C900A3F6EEDFDEFDBC3A2099D5185BAEE2
                                                                                                                                                                                                                                        SHA-256:6A08DBFBFBBDEFE80D9CFCDF8BC26C9183A4FFEE24EEE0FA62571381AD28E9D4
                                                                                                                                                                                                                                        SHA-512:1BB92EBA016C76CB446FF0152BB13EF6043E05A5E2C14B38080F6CC7DA5CC2E4CC25C88717222917C128DC08F9DA3937E1635FBB21BCC4ABF10B9344CBED2369
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.seb.seb.seb..fc.seb..`cxseb..ac.seb..fc.seb..ac.seb..`c.seb.sdbWseb..dc.seb.seb.seb..ac!qeb..ec.seb...b.seb..gc.sebRich.seb................PE..L......f...........!...).....0....(.`.:...(...:...............................<.....*.....@...........................:.|"...:.@.....:..............<...(....<.....................................D.:.............................................UPX0......(.............................UPX1..........(.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):665096
                                                                                                                                                                                                                                        Entropy (8bit):6.7123002524702144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Q2faLhcqedTWswfIGeXJlte2MU0hFVX2YNGp:Q2CLWJWLI53JwVX22Gp
                                                                                                                                                                                                                                        MD5:9CC8906D902382CC11C4D4D3BBED8DBD
                                                                                                                                                                                                                                        SHA1:9A73671E7952DE65E8A8CA21ADFABC871E157046
                                                                                                                                                                                                                                        SHA-256:CF199C492F0AA0376BE124E74DB1B6B7D5FCC796F37714B777CBADACF3F07E46
                                                                                                                                                                                                                                        SHA-512:28857B9BE062229C1DAFDE61444FEAF0A63B888D9670BC878B7BF7E2F41B60533AF87863BE0F6A47FE4E950927EBEA18FAFD32C2D2EB73A28CC5BED602F30DA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........G.bj..bj..bj.\.i..bj.\.o.5bj.\.n..bj.....bj...o..bj...n..bj...i..bj...k..bj..bk..cj.\.k..bj...n.%bj...j..bj.....bj..b...bj...h..bj.Rich.bj.........................PE..L......f...........!...&..... ...............................................P............@..........................c..$...$m...........................(......lT...U...............................T..@...............L............................text............................... ..`.rdata..............................@..@.data....1.......$...~..............@....rsrc...............................@..@.reloc..lT.......V..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):623056
                                                                                                                                                                                                                                        Entropy (8bit):6.452703221703766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vcqfl06LEuieb/drb93hVzyp5dl+lyyMKhoRZhD9ZKck9Qh/5Ffdw0CnbHu9gJJt:kqdFzbFrbUp5dl+lyyMKhoRZhD9ZKckB
                                                                                                                                                                                                                                        MD5:B03D660319962C265C8A5E6F89CD019D
                                                                                                                                                                                                                                        SHA1:289BA87563ABA33D9385C04834745AF4F5BE1882
                                                                                                                                                                                                                                        SHA-256:66ECEBD3D11557D42AE33B64E522F371D6D27651B8B7350BEF41F691FAB1465E
                                                                                                                                                                                                                                        SHA-512:F5376FE1195A14DCC4F1265F61088EF0452C72DCF17F0B7AA4ED4DB903347C60C9557E556DEAF0244DB0A5F3EA8B7065D7D66BD1638D1EC566EE26110854D5E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V.......V..t...tV..t...mV..t...zV..}V...V..t....V..t...|V..c...|V..t...|V..Rich}V..........PE..L......Q...........!.....b..........+*..............................................?.....@.............................Uh......P....................j..............................................p...@............................................text...~a.......b.................. ..`.rdata...............f..............@..@.data...$.... ......................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342024
                                                                                                                                                                                                                                        Entropy (8bit):7.895641722792913
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1Y2e1wyPJHcHPL4W84QDcsKzJEraJJZ90eGBSemTEMNFrUCoSbL:LaJS0W84QopzJE2JJseGBugMNFhbL
                                                                                                                                                                                                                                        MD5:523BA7EBE060B6961722FF97089695B7
                                                                                                                                                                                                                                        SHA1:EFC5C558A78CD5DB8F3F0DC510FCFF8EE4876E77
                                                                                                                                                                                                                                        SHA-256:EA3795FB2D4CFE2FE70F616E3C5D9BD73DADEA39F8CC3A4BF81389F73352097A
                                                                                                                                                                                                                                        SHA-512:A2265D470FCBCC7E0E8AE88B44969768FF1216F76177EE4B9531FB09C980D9D4B1331D41E184BA1F0E66356B5530E7946F614CA7FCEB449B6C1228BC2233755D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.C..XC..XC..X...YI..X...Y...X...YW..X...YA..XSA.YU..XSA.YR..XSA.Y\..X.@.Y@..XC..XP..X.@.Yq..X.@.YB..X.@.XB..X.@.YB..XRichC..X........PE..L...g..f...........!...).....P......pd.......p............................................@.........................lt...>...s.......p...................(..$.......................................\f..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1080320
                                                                                                                                                                                                                                        Entropy (8bit):6.54617867437111
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:D99IeBE76bZaCUrF0XbuqIpInZVrUCzfk44dH:D9S+EAZeY/UfZ
                                                                                                                                                                                                                                        MD5:39F617D7B979F6C6A3F49E3ECEEEDCC1
                                                                                                                                                                                                                                        SHA1:5CDD9B895F68D7D33FAA83C1C91A326A24D3D1C4
                                                                                                                                                                                                                                        SHA-256:85CBBD4990E82B653C3DE90CE6D873395D501D26652555A95FFA2498AF5B751E
                                                                                                                                                                                                                                        SHA-512:8098D896FF87095CBA3F58B73DB8BE820EE453172FC6615A6F6AA86FC2FD1C82D6564EAB37196F919F35AFDD77F40ED8ED27A6F057141FBE5C13E70D410C6691
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....TN...........#.........P.....................q.........................p......3......... ......................p..............................T...(...0...9........................... ..........................P............................text...L...........................`.P`.data...............................@.`..rdata..............................@.`@.rodata..............|..............@.`@.eh_fram ...........................@.0..bss..................................`..edata......p......................@.0@.idata..............................@.0..CRT................................@.0..tls.... .... ......................@.0..reloc...9...0...:..................@.0B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6332416
                                                                                                                                                                                                                                        Entropy (8bit):7.4749391416152635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:196608:+8Co7mhMKgeEyArU3/Rlr4MpWD1Ytty0cBiIgKR9vXooBF7QmQVmdYdlkSIJC7:wchgxoBFVImdYIU
                                                                                                                                                                                                                                        MD5:94988930DDDF8B7046EF683E00683698
                                                                                                                                                                                                                                        SHA1:420EE1B24BB1CC5C60B3E8D2B0542738DBA014BB
                                                                                                                                                                                                                                        SHA-256:FE4DEC84458C29BCD7D00A440522FBF3A5A3F83679282BB24BB8499ED17D74B3
                                                                                                                                                                                                                                        SHA-512:319600D9DC7F77D6808B60C3315F652A3DAABD631F780E63DBD4D9EAC9015D023F2432CC4F3ACE8A88785BE3DB2C15F86206C851383EA7DAACAFEB55776E0595
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........R2.h<a.h<a.h<a..?`.h<a..;`.h<a..8`.h<a..9`#h<a..:`.h<a..=`.h<a.h=a%k<a..?`.h<a..8`.h<a..9`pi<a..9`.h<a..<`.h<a...a.h<a.h.a.h<a..>`.h<aRich.h<a................PE..L....=.g...........!...).N...pD.....j4.......`................................`.......a...@.........................0.".p.....".......#.`.:..........x`..(...`^.x...(. .T..................... .....h. .@............`...............................text...3M.......N.................. ..`.rdata..dw...`...x...R..............@..@.data........"..l....".............@....rsrc...`.:...#...:..6#.............@..@.reloc..x....`^.......].............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006016
                                                                                                                                                                                                                                        Entropy (8bit):6.626171499865031
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:9qoyEq23KY0eQlLvw2S5lIuWPtneyJ1bH08P2m:9qvDk/PQlTdSzIuytneyJ1bH0E
                                                                                                                                                                                                                                        MD5:89B8CAC8842BF80F3E49E6514E71439D
                                                                                                                                                                                                                                        SHA1:52FF66869C27422CA4E67842A027CECE9B461916
                                                                                                                                                                                                                                        SHA-256:43EB30D839138C0643E385E9575E06C850F660FFBD443F3F9CB2B35F238BCE55
                                                                                                                                                                                                                                        SHA-512:1E4CF691E92FEA86D948C33B19E768C857BF9F39DD51CC9037AD36934889A168969CD0416EC0CCA5884EDE4ABC00C8343A378753B4D199A73C5E335986FF41CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.?.e...f.?.b...f.?.c.*.f.?.`...f.?.g...f...g..f..Qe...f..Qb...f..Qc..f.Po...f.Pf...f.P....f.......f.Pd...f.Rich..f.................PE..L...*=.g...........!...).............................................................L....@.............................<...............hA...........t...(......L.......p...........................P...@............................................text.............................. ..`.rdata..............................@..@.data...H........X..................@....rsrc...hA.......B..................@..@.reloc..L............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1984000
                                                                                                                                                                                                                                        Entropy (8bit):6.631644667714026
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:lKo5RsoQpMzEeW13uF8DBgyB5YCngEf0NoV3kmGOxVG:lF5qtp+bW13uF8gjCgQ0aV3kmGO2
                                                                                                                                                                                                                                        MD5:E9DA848945FFB438C2598F88283E6548
                                                                                                                                                                                                                                        SHA1:2D6C20165D17A7A52ECB6D4B932339555D013AA9
                                                                                                                                                                                                                                        SHA-256:778019739F3BF67632DB749AAB8A938A2D6C385ADB61B8D46EBEF3568582D61C
                                                                                                                                                                                                                                        SHA-512:576266102ED10FFD9C6F46850592A28D9887DE402801FD041FAFE3BEC3AFA94DBF647A429CB9E3AD32F3870B96CA85DD1B6F482E6E42E513B4512FC434CF38E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........f...f...f.].e...f.].b...f.].c.K.f.].`...f.].g...f...g...f..ge...f..gb...f..gc...f..fo...f..ff...f..f....f.....f..fd...f.Rich..f.........PE..L...G=.g...........!...)............................................................G.....@.........................PM.. ...pN..T....0..PA...............(..........X...p...............................@...............@............................text...`........................... ..`.rdata..............................@..@.data...0........V...v..............@....rsrc...PA...0...B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2107904
                                                                                                                                                                                                                                        Entropy (8bit):6.628063200615706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:JppagIDAbM1lAp7FO/U8P1Hj8q5sP9MxAPkHIq2yid:Hw5cofApBOc8PFj8q5sPyxAPkoq3S
                                                                                                                                                                                                                                        MD5:E4615DF54082557B0B9C784428EC320B
                                                                                                                                                                                                                                        SHA1:72C93F64E810B944F6499A0FBE00AF7FD04ABD06
                                                                                                                                                                                                                                        SHA-256:8B663A51EED6DCFD68AE7C98A889E02FE9DB268B8FDD59C9DEFA264976EEB86F
                                                                                                                                                                                                                                        SHA-512:4E9E52FE40F18217BAC0F79B62D03D34EEC640A721304927A46947EB1C9D01D39E0ABF388565873C21BA6459D9B5789A8A9B843E25CE296796399CBEAFD20A82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............z.P.z.P.z.P4..Q.z.P4..Q.z.P4..Q3z.P4..Q.z.P4..Q.z.P.z.Pny.P...Q.z.P...Q.z.P...Qm{.P...Q.z.P...Q.z.P..}P.z.P.z.P.z.P...Q.z.PRich.z.P........................PE..L...\=.g...........!...).....L.......c........................................ ....... ...@............................. .......|........D............ ..(...P..$"......p...................@...........@............................................text............................... ..`.rdata..f:.......<..................@..@.data........P...\...<..............@....rsrc....D.......F..................@..@.reloc..$"...P...$..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2351616
                                                                                                                                                                                                                                        Entropy (8bit):6.684695815983325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:zONnFeY38R07gdM5jPxqnRZhleMMS9f7a5qbFjRiTg+T09d:zO1Fx34M5jZqRZneMMS9fW5qbFjl+g9d
                                                                                                                                                                                                                                        MD5:B10CE6F86C8E15B661A72466F8F9F8DB
                                                                                                                                                                                                                                        SHA1:F266AF59177D39FB01710E297E2967EE387A9377
                                                                                                                                                                                                                                        SHA-256:79CC082B28DABC8811F7D63CB34FA046C543A87D896A392FE9D1F7BA5A8609E9
                                                                                                                                                                                                                                        SHA-512:BB6D90B2A62524632E1571925C1185F3B0E72710A1FC93F68D0513525130BA88F655A40A67BD1CE0F3D711AE7BB9916A0FA30FC270EACFD21498876C0C7027B8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............l.X.l.X.l.X'..Y.l.XI..Y.l.XI..Y.l.X'..Y.l.X'..Y(l.X'..Y.l.X'..Y.l.X.l.Xzo.X...Y.l.X...Y.l.X...Y}m.X..wX.l.X...Y.l.X...Y.l.X...X.l.X.lcX.l.X...Y.l.XRich.l.X........................PE..L....=.g...........!...).....b...............................................0$.......$...@........................... ....... .......!.`E............#..(....!.h6..p...p...............................@...............P............................text............................... ..`.rdata..N;.......<..................@..@.data......... ..^.... .............@....rsrc...`E....!..F...<!.............@..@.reloc..h6....!..8....!.............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):108032
                                                                                                                                                                                                                                        Entropy (8bit):6.392406183079777
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:4DMkwASAlBbybU8rxkQz/g9pV9Z2dcvxp267OKiY+dp9oL:4oASAv9FYUp3OKiY+n9oL
                                                                                                                                                                                                                                        MD5:93601A93026211DE5CB00C3827883EEC
                                                                                                                                                                                                                                        SHA1:931CBC627272361425EFCAEE6362B041A3FF6E3B
                                                                                                                                                                                                                                        SHA-256:1959B8E79F5BC0AB7451F0F362A714572136503C864C974E1088B1951EE592A1
                                                                                                                                                                                                                                        SHA-512:53C5F46A1E1F188C429EE686F9CE7E0A8ED5B5BDFA51D8DD3B619B9FD61B8F6EDCC162BCBA667E6336CBED8056F0A17A614170C60059BDB2947770223D19FBC5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....{...{...{.......{.....'.{.......{.....s.{.#.....{...z.f.{.......{.......{.......{.Rich..{.................PE..L....9._...........!.....&...|......P-.......@..................................................................... r..s....k..(...............................l...`A...............................f..@............@.. ............................text....$.......&.................. ..`.rdata...7...@...8...*..............@..@.data....L.......0...b..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3221
                                                                                                                                                                                                                                        Entropy (8bit):5.297235243948338
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:3UoGnVsAdB/+8W3/VcCDO/wAKCRIpCBIweFC4+C/+CYFc:3UoGnVldBWtejp6tL
                                                                                                                                                                                                                                        MD5:ABE8E3568B6D951E7DD395DA46531932
                                                                                                                                                                                                                                        SHA1:304D81C1B48E16533EF691A9C965818136B9583C
                                                                                                                                                                                                                                        SHA-256:EB700422C31C15757A6C70141274A184D291AAC3BDE191A964F75A90BC084143
                                                                                                                                                                                                                                        SHA-512:19A79D90883103302BDDBAC8A765C6A5196FB78C223D911633285B4BA44EBFFA9C64690102498E3BEF5991DBA0F28847473A44D4F9AA7D637A4C4D3F1EFEA12E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@ECHO OFF..rem %1 - mode..set RMode=%1....IF NOT defined RMode (.. set RMode=1..)....echo RMode=%RMode%....IF %RMode% EQU 1 goto close_and_open..IF %RMode% EQU 2 goto normal_reboot..IF %RMode% EQU 3 goto reboot_to_safemode..IF %RMode% EQU 4 goto shutdown_byebye..IF %RMode% EQU 5 goto boot_to_normal..IF %RMode% EQU 6 goto boot_to_safemode..IF %RMode% EQU 7 goto normal_reboot_asrs....echo RMode=%RMode%....:close_and_open..net stop splashtopremoteservice & timeout /t 5 & net start splashtopremoteservice..GOTO end....:normal_reboot..SHUTDOWN -t 10 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:normal_reboot_asrs..SHUTDOWN -t 25 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:shutdown_byebye..shutdown -t 10 -s -f..GOTO end....:boot_to_normal..ver..ver | findstr /i "10\.0\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt6x_boot_normal..ver | findstr /i "5\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt5x_boot_normal..ver | findstr /i "6\.*\." > nul..IF %ER

                                                                                                                                                                                                                                        C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):194632
                                                                                                                                                                                                                                        Entropy (8bit):6.700953544041196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:CgElAKvMslbFN3XCm3dbSDcTn6iw5t4FEvQeXyB8LGeph+K:IFD3dmABw5SFEv/ypeqK
                                                                                                                                                                                                                                        MD5:4A2F597C15AD595CFD83F8A34A0AB07A
                                                                                                                                                                                                                                        SHA1:7F6481BE6DDD959ADDE53251FA7E9283A01F0962
                                                                                                                                                                                                                                        SHA-256:5E756F0F1164B7519D2269AA85E43B435B5C7B92E65ED84E6051E75502F31804
                                                                                                                                                                                                                                        SHA-512:0E868AD546A6081DE76B4A5CDCC7D457B2F0FB7239DC676C17C46A988A02696B12A9C3A85F627C76E6524F9A3ED25F2D9B8E8764D7E18FC708EAD4475591946F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................9...................................................................Rich...........................PE..L...4.*b.........."!.................C....... ...............................@............@.........................p...........<.......................H.... ..P.......................................@............ ..d............................text............................... ..`.rdata..N.... ......................@..@.data...............................@....rodata.............................@..@.gfids..............................@..@_RDATA..............................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\LICENSE.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9519
                                                                                                                                                                                                                                        Entropy (8bit):4.902271147017698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                                                                                                                                                                                                                        MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                                                                                                                                                                                                                        SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                                                                                                                                                                                                                        SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                                                                                                                                                                                                                        SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                                                                                                                                                                                                                        C:\Program Files\dotnet\ThirdPartyNotices.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79954
                                                                                                                                                                                                                                        Entropy (8bit):5.2343129347468
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HA9jHwQZGfgg39/zwgAVkguQXrDjugtSEGepkWvrpX7anuqdLS4mfiStPq+3Lefj:HA97wfogz1AVxuujHtSFULryLggrGRwJ
                                                                                                                                                                                                                                        MD5:F77A4AECFAF4640D801EB6DCDFDDC478
                                                                                                                                                                                                                                        SHA1:7424710F255F6205EF559E4D7E281A3B701183BB
                                                                                                                                                                                                                                        SHA-256:D5DB0ED54363E40717AE09E746DEC99AD5B09223CC1273BB870703176DD226B7
                                                                                                                                                                                                                                        SHA-512:1B729DFA561899980BA8B15128EA39BC1E609FE07B30B283001FD9CF9DA62885D78C18082D0085EDD81F09203F878549B48F7F888A8486A2A526B134C849FD6B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.NET Runtime uses third-party libraries or other resources that may be..distributed under licenses different than the .NET Runtime software.....In the event that we accidentally failed to list a required notice, please..bring it to our attention. Post an issue or email us:.... dotnet@microsoft.com....The attached notices are provided for information only.....License notice for ASP.NET..-------------------------------....Copyright (c) .NET Foundation. All rights reserved...Licensed under the Apache License, Version 2.0.....Available at..https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt....License notice for Slicing-by-8..-------------------------------....http://sourceforge.net/projects/slicing-by-8/....Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved......This software program is licensed subject to the BSD License, available at..http://www.opensource.org/licenses/bsd-license.html.....License notice for Unicode data..-------------------------------...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\dotnet.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139560
                                                                                                                                                                                                                                        Entropy (8bit):6.287749729909957
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:swmRQoZmiyYIRPEgufW6see/URLSpseL5AXboB0UD:swmRbZmiyAfClcRLSpfLyLu0g
                                                                                                                                                                                                                                        MD5:36D228BE5ED20ADCC78CE322462BB51F
                                                                                                                                                                                                                                        SHA1:075B139595D5A86D53F87E2C90F0E484C9A769C0
                                                                                                                                                                                                                                        SHA-256:9935A604779C42CC7FC4291A68EC1D6EE889B8CEC349630B1ED1EFEC0B79B1BE
                                                                                                                                                                                                                                        SHA-512:419744B62337B1DBAD22FC3D1238FE2CC2DD7CABFBAD79F14E05CE6C470189D8F0DA8E6C9C97AA6E86AFD8398BAA9B90DFDA0A295D61A2F7413A7ADC704B9A27
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..}|...|...|...../p...../v.....//...u.).l...../y...|........./t.....E.}...../}...Rich|...................PE..d......f.........."......J.......... ..........@.............................P.......p....`..........................................................0..........8.......()...@..........T.......................(.......8............`...............................text....H.......J.................. ..`.rdata...~...`.......N..............@..@.data...............................@....pdata..8...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):378016
                                                                                                                                                                                                                                        Entropy (8bit):6.299291222115666
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:oGrRuLv2A7NEtiODC3zGr4iAOsCSEAg2gcmgrW091s:vOv2aNEzDuiAOsUuH91s
                                                                                                                                                                                                                                        MD5:940CD13B0268A9F75DD1C04548BBB9A9
                                                                                                                                                                                                                                        SHA1:7EBCE93D389C04DF1E3FCE71C9659DF6D75749B5
                                                                                                                                                                                                                                        SHA-256:36D60BF2659400EA672EDEC58C7FA1105B8F7BF55E75A75C7554ECDEFF1DBD89
                                                                                                                                                                                                                                        SHA-512:37A9384067DA8F9FE345519455D1E9B125E8EB8B7B1E87F8B8DDFDB1070E5556B6A65084A32F56FDF9D4553A986F4575691859C71882445506650D947859B1B2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k..|.I.|.I.|.I...H.|.I...H.|.I...H.|.I...I.|.I+..H.|.I.|.I4|.I2..H.|.I2..H.|.I2..I.|.I2..H.|.IRich.|.I........PE..d......f.........." ................................................................pD....`A.........................................P.......R.................../.......(......|.......p.......................(.......8............................................text...,........................... ..`.rdata...S.......T..................@..@.data...(....p.......T..............@....pdata.../.......0...^..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50
                                                                                                                                                                                                                                        Entropy (8bit):3.951272380112911
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ilQC7BRFSRHLgQbLi:w7BTiBbLi
                                                                                                                                                                                                                                        MD5:BB568E3396EAB3BC8E5B4084D3288C15
                                                                                                                                                                                                                                        SHA1:0C06BC1D72CF0706B7A901F4570A73E4CD151172
                                                                                                                                                                                                                                        SHA-256:B648A485B2762EA04CDCFB1C4631F0A75929D1ED8B7C1DF4BB139F0201662643
                                                                                                                                                                                                                                        SHA-512:42B379CB8596E258393948B5394FC5840DB3D9B76BEAAACD1BFBFE6C860C3835596BCBD4B31CDFF444A9AFEF46EE617BFD830AE46F08C974186A47DA2ED43272
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:b357f86ce3bce7c232ea242074b17bebdc50b543..6.0.35..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1042720
                                                                                                                                                                                                                                        Entropy (8bit):6.759185121370171
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:a93g4kD8aA+u1xjx1nu+Vu9yHZzsYghdi4YNLNlqx:W3g4kDiLlVu+Vu9yH+XiFi
                                                                                                                                                                                                                                        MD5:C3928A25CD29B21B84DF1554B4EA3FEE
                                                                                                                                                                                                                                        SHA1:057F67EB18BC2B19CB77AC413141DE255DBD0211
                                                                                                                                                                                                                                        SHA-256:79E9D346314609D493344EA0C51AE8E93DEAA5870A105FC07EB29E8458748CBE
                                                                                                                                                                                                                                        SHA-512:825FD54D970A7B02C7863C45B574CBF3D51B0CFA33B51681B8D96D5D32771A4EF24EBCE5C57AFF664AB7231279A60871C8967745F87A9698347E4A66E0DB3EAC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... ............." ................................................................y.....`...@......@............... .......................................6...j...... )......<...`D..T...............................................................H............text............................... ..`.data...D...........................@....reloc..<...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2309152
                                                                                                                                                                                                                                        Entropy (8bit):6.414576855139372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                                                        MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                                                        SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                                                        SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                                                        SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32962
                                                                                                                                                                                                                                        Entropy (8bit):4.336195794839597
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+BP5VEsIhKPMEPrT3XCGjDyiEc6BHa21Fe8kFN92uwtEeCJyK:6RVEsIhKPMEPrT3XCGjDyiEc6BHa21Fk
                                                                                                                                                                                                                                        MD5:4D015F352BB2E8413AC4215371BC5E35
                                                                                                                                                                                                                                        SHA1:ADFF306655001DCD02003372C2AC439A7BE17C59
                                                                                                                                                                                                                                        SHA-256:686481AE0DD4F3F7E44B2A4FA2949B319A0F701437CA42FDA78D637EBC2BD298
                                                                                                                                                                                                                                        SHA-512:DA871BA710634EF171A80ACD1A473BEB8204E8DF10F375CB999B9FF1A95264C256D5C7E01531F62E8D4A2608BBB858A7C6209DCBE2348E360C7F231861D3CF5C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {},.. ".NETCoreApp,Version=v6.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/6.0.35": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "System.AppContext.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3524.45918".. },..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159
                                                                                                                                                                                                                                        Entropy (8bit):4.54941695087313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:3Hpn/hdNxDI/pANC+KL4nNOcW3mJAGRM3Bojqy2VKXmHEk/FTy:3Hp/hdNyhAk+Q6NOCUo+K8EkNTy
                                                                                                                                                                                                                                        MD5:3FBD84A952D4BAB02E11FEC7B2BBC90E
                                                                                                                                                                                                                                        SHA1:E92DE794F3C8D5A5A1A0B75318BE9D5FB528D07D
                                                                                                                                                                                                                                        SHA-256:1B7AA545D9D3216979A9EFE8D72967F6E559A9C6A22288D14444D6C5C4C15738
                                                                                                                                                                                                                                        SHA-512:C97C1DA7AE94847D4EDF11625DC5B5085838C3842A550310CCA5C70BA54BE907FF454CA1E0080BA451EACFC5954C3F778F8B4E26C0933E55C121C86C9A24400B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1245448
                                                                                                                                                                                                                                        Entropy (8bit):6.769261315323123
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:cxvknPxKYMVXllgnURGXuYl9wCi1Io+bZr:MvaPxKYcX8nURGX0CiY
                                                                                                                                                                                                                                        MD5:97F73DE2693B5F6EF780513E9179DDCF
                                                                                                                                                                                                                                        SHA1:EC998FAE441D1761960E1A1937EEADF60AE2ACC0
                                                                                                                                                                                                                                        SHA-256:92F5BAC23616A987292E4D65AABC8F16D102BAF50C1785A41C38305BC99A20B7
                                                                                                                                                                                                                                        SHA-512:98CE22DC95F50DA11F9828C9777DEF21AAB1EF95FAC938388766E2989C134F72896C7C8E1F686CF45077096879CFFD277CF94A7DBCECA238FD9BA0169DE8A14D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a`............" ......................................................................`...@......@............... ..................................L........k.......)......l...(D..T...........................................................P...H............text............................... ..`.data........ ......................@....reloc..l...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............d...^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........R.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.587142355138018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:p9SphH3cLeq/YxWmH6K9QdWoYA6VFHRN7hYcTR9z67V:pkHMLH/oEFClbV9zMV
                                                                                                                                                                                                                                        MD5:E807A9DF3752B47DD2EBF325488329EB
                                                                                                                                                                                                                                        SHA1:D780B123892ED5343BD2F0741184AE2F90A0A3A7
                                                                                                                                                                                                                                        SHA-256:BB902FB88A2C3AFD4548AA7631E6CEFFB9A8062A213B9654DE40D7C2ACB2A985
                                                                                                                                                                                                                                        SHA-512:6CB85784EA617D879BC5C40D204A91092F233A492C2EEA642E56ABDEA671066E5D0ABF29FBF1C074DFEBBE1683FBBE0A632F20952DBE82B0557EA40BE89B469A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........." ..0..............2... ...@....... ....................................`.................................{2..O....@...................)...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P .......................1......................................BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.p.......#GUID.......H...#Blob............T.........3....................................K...............2.................<.....d.J..........."...~."....."...}."....."...}."....."...d.".....".....x.....x.............................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26376
                                                                                                                                                                                                                                        Entropy (8bit):6.566822188548986
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TWhPTpWvZWnjmMDQnqyXhHuo0XWjYA6VFHRN7KW+ONSR9zdVHJ3:eVjm5n5XdCIFCl7BNe9zh3
                                                                                                                                                                                                                                        MD5:1F61CBDDE703B882F07EF7D71C3D3D25
                                                                                                                                                                                                                                        SHA1:F09B9EC89343C7EBACCA3C956859F46A30BCE04D
                                                                                                                                                                                                                                        SHA-256:B64A75F89C611F4CF88EC9AE85BB34D719578B01C106B16E2E8703694ABD1B0C
                                                                                                                                                                                                                                        SHA-512:78A90230E462F2AFE911E88E974FA7976D957DEFD3FF04C9B141D970AE25F29BE3F70C1D4ACFEE43C319FA80A142663B66EC3CE073EDB8AC99616720CDD0BB96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...i............." .....4...................................................p............`...@......@............... ..................................D............>...)...`..\...8...T...........................................................H...H............text....2.......4.................. ..`.data........P.......6..............@....reloc..\....`.......<..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):87824
                                                                                                                                                                                                                                        Entropy (8bit):6.609888713325627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:61Qcxml5haPYOueQFjym3sykEomWxGsVico5Bkbxliw33zC:61QIml5wPY3Fjy5ykE8xGsVicCBsXp3O
                                                                                                                                                                                                                                        MD5:EA5EF3E9C8F7A2A240ADB2D2D225AC01
                                                                                                                                                                                                                                        SHA1:EF69C741CF3CE92CC5B68E825C9E9796BAA9246B
                                                                                                                                                                                                                                        SHA-256:8609E30FBDE9BFE93B51A31E27963C44195EAC284904F5EA19E435E81CC9293D
                                                                                                                                                                                                                                        SHA-512:98C6B84FCB38F35E281265B7DD046A1CDFC1A31F787A011FE8227478C7D7C38AEBB09D350BAD457A115555BE28B7A6FD78659AC5A26AAF8A5B7970C25B19260D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....p..........." .........................................................`............`...@......@............... ..................................8...p............)...P..........T...........................................................8...H............text............................... ..`.data........0......................@....reloc.......P.......,..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.801530918765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:W2NrDaW+p7WMYA6VFHRN7+eASR9zdVCOkh:nQbFClSe9za5
                                                                                                                                                                                                                                        MD5:23D709F84FAE16898B3B3FB532E39B92
                                                                                                                                                                                                                                        SHA1:34D3D72D6B1A2F0842DC18332585C60707CF29C2
                                                                                                                                                                                                                                        SHA-256:FBCB30E92AF2A28FC42F5862BBAC27A938B1A3BBDD21523DE48E5FC693AF720A
                                                                                                                                                                                                                                        SHA-512:0AAA8A9E4C2A7D7E287A1EC76F637BE582670E55823D42E179EDE70405BB60A58664F90CE2F39E1A5E136010E428E19DBBC38F61E7753F95CA5EDEB2FB5E883C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M............."!..0.............^)... ........@.. ..............................].....`..................................)..S....@..h................)...`......d(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P ..........................................Y...N.$...i.]....,....C..Y./....U....#......9id.....\G@..b{..@..+.%.>..d.E.........9.6...W....O.....<.6}...{.z....&BSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3................................................".p.....p...;.>.........f.............Q.....Q.....&...!.&.....&...[.&.....&.....&.....&...B.&...O.&...v.p...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.782221204196243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WR0yWYi2W8pWjA6Kr4PFHnhWgN7agWykfKUSIX01k9z3ARqzJDL/:RyWYi2W8YA6VFHRN7C2IR9zooH/
                                                                                                                                                                                                                                        MD5:4089E1C839BC40FB1412C37BE8A6C3FE
                                                                                                                                                                                                                                        SHA1:5CCC3643FE29E5DD454ADC2E7127FE22D3982983
                                                                                                                                                                                                                                        SHA-256:4481BE9159BBA109BF872B6A7FD176CFA55416D4A8A666CCA60251B848AF7E54
                                                                                                                                                                                                                                        SHA-512:17BB639068C9DDCDD49380400E3829F82AF414C68FB53A68F4640B8FFF491F14ED35CD3F89A1030873D84BACE6558FF2F2099F5EF5598F7E1C58D6ECEDD8466F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m..........."!..0.............^)... ........@.. ....................................`..................................)..S....@..X................)...`......h(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P ........................................~w.;p.....B.@gTM.j..Ms..LXP..r....T....?46BDb.6..V.:.X._.F(..S.s...@..,ZO..le=.=[.k.=%..>2....wk.._I.2..O..3(k......[cBSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3..................................................y.....y...G.G.........r.......(.....Z.....Z...../...-./...../...g./...../...../...../...N./...[./.....y...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):247080
                                                                                                                                                                                                                                        Entropy (8bit):6.849191153993673
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:GsS/IAVyNU2kbEf5+i6MKORygikbyO2DGJ0pebVq:GsBAr2vt6MikbD2CieVq
                                                                                                                                                                                                                                        MD5:E17BE481647C2DDCFFCD74FF9FBC1A74
                                                                                                                                                                                                                                        SHA1:7A5E9AA77CD0C8C72BA81311934BFFC3AECE2342
                                                                                                                                                                                                                                        SHA-256:086E14D805EF4CEFDB25506736DCC5D6E800D618DF672358CB1112BA04A1F8CA
                                                                                                                                                                                                                                        SHA-512:3C2342D9B1DE3E7E191A543F1C1D47ED04A679400F79A77B9F044E93425864603F453CBA86929173E5B14EBEEB929B3729DF1F902B5E655A8DC716F316174C74
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C6..........." .....`...:............................................................`...@......@............... .......................................e..........()..........P...T...............................................................H............text...._.......`.................. ..`.data....5...p...6...b..............@....reloc..............................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...C.o.n.c.u.r.r.e.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):666288
                                                                                                                                                                                                                                        Entropy (8bit):6.78661325216844
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:W36Xx8oDIB+7QBj0YBC6WXz66M4cRuco/oMy5iu:W3EWIX5at
                                                                                                                                                                                                                                        MD5:1B93945C7F04740122C60D8C9221654A
                                                                                                                                                                                                                                        SHA1:D19F777B688704693BDE7C8B0456D8D82D8B3AB4
                                                                                                                                                                                                                                        SHA-256:0C23E0E757D0DBF213A6BBFF8A76336D0AE762547EE898FA6F03F4C1A11C63C7
                                                                                                                                                                                                                                        SHA-512:23319E803AB3A271812FE3BFBBA76EDF33D8F13C446CABA164BE1E68C0645B4D119818644642F15A02C266FE65090688D3734CB8BFD0A61D81B5136E77C1AC88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...nP............" ......................................................... ............`...@......@............... ......................................,...P^.......(...... ...."..T...............................................................H............text............................... ..`.data...:.... ......................@....reloc.. ...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...v./...C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e. .p.r.o.v.i.d.e.s. .c.o.l.l.e.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .t.h.r.e.a.d. .s.a.f.e. .a.n.d. .g.u.a.r.a.n.t.e.e.d. .t.o. .n.e.v.e.r. .c.h.a.n.g.e. .

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101144
                                                                                                                                                                                                                                        Entropy (8bit):6.476048974487395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vfgNzmjhqPdxPhjxSd+XBQCvePLDrnsrpyi3:3Nhq0FsE4
                                                                                                                                                                                                                                        MD5:67FFDB95AB55A741D15CCCD4C7B75DBA
                                                                                                                                                                                                                                        SHA1:D73B4BFBF850A3184990976B959CF08F925FBD08
                                                                                                                                                                                                                                        SHA-256:1F8D33569B15DB329B49388E6DC03A9121739F2F4155901761A56CF66CFA2477
                                                                                                                                                                                                                                        SHA-512:744E2409DFDBF41B4E1A568B0323FBEDB3F08368C812664CF7B7CF0F4FA269C7641CCC3BDC82075B97494829CF29D08E928BCE8AB4290B312EB6AB7CB8249758
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....u..........." .....L................................................................`...@......@............... ......................................(3.......b...)..........H...T...............................................................H............text...0K.......L.................. ..`.data........`.......N..............@....reloc...............`..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...N.o.n.G.e.n.e.r.i.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95496
                                                                                                                                                                                                                                        Entropy (8bit):6.534791453724649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:jWfjc8LAhPvoiTCxaDVvkDTC5O7/LyY204yhpVeypoi8C4dezFc:j0QsAZNBsDTs+zyY204yhpVey6dIO
                                                                                                                                                                                                                                        MD5:2BB568CF400E0890E8AA25DA5445D3FF
                                                                                                                                                                                                                                        SHA1:15C9D61A4EEFA521E7FD3FD51DF60AF80486FFED
                                                                                                                                                                                                                                        SHA-256:49577AAE05031B386CB8C04275047ECE9A0D63A6C4BBDFB1A4AE3B7841761CE3
                                                                                                                                                                                                                                        SHA-512:C2616137D3D41CF9F1A3F89F4F891C7DB09C18332CE5367C433C868E38DC9AF34D7A5D29D6023464F4250DB5EB1124319ED2A04BE2CEE9371391C7C498D8992A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....V............" .....6..........................................................O.....`...@......@............... .......................................0..h....L...)...p......P...T...............................................................H............text...x4.......6.................. ..`.data...\....P.......8..............@....reloc.......p.......J..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...S.p.e.c.i.a.l.i.z.e.d.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):264992
                                                                                                                                                                                                                                        Entropy (8bit):6.761266470511353
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:30bzt+JuwscekH2KrzQ5t056pAje2l3qZ7CLzG:35JuwDvHQNW27CLy
                                                                                                                                                                                                                                        MD5:ECAF66EE198849D3200E028C0A31CE8B
                                                                                                                                                                                                                                        SHA1:521E58557861EC5E549BFE9836E6E54C55E7F38A
                                                                                                                                                                                                                                        SHA-256:193A45006B2330E29C5FC6D0D3F92C269D9E9BDF1FA141E51B0A07909B7A02E8
                                                                                                                                                                                                                                        SHA-512:A5A73B4D1C6D3E346FC7DC85CD1E77181F2946FE99F0181B7BE68B98D8319718A07D4707DD3F709778175D3FDE73915B9AFED8FC451210D93CC596C8DF6CD8F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6e8..........." .........@............................................................`...@......@............... ..................................t...,].......... )......,.......T...........................................................x...H............text............................... ..`.data.../9.......:..................@....reloc..,...........................@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...C.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):187192
                                                                                                                                                                                                                                        Entropy (8bit):6.462092532995058
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:l7PmpgPixtBuguLv7F8IbGumTG5D5/vbF6V+F7LWYkQ6v+P0:FepnxeB1QG5lF7qtQ6v+M
                                                                                                                                                                                                                                        MD5:39FAEB8118FD29C6205C0A2129E91454
                                                                                                                                                                                                                                        SHA1:560A13F6BCAFB43B40F51770E6E2268AA2B37B4D
                                                                                                                                                                                                                                        SHA-256:8146999337103583BB15FFD1D5DA680D6FE35F594A5AE49EDCFF5A16BD8B7B74
                                                                                                                                                                                                                                        SHA-512:2631B643253CA643CDA19B9E3AEE72131EC5EAC4B7B81821DC45EA57B2A4CD23420A7808D979E90A609BE3D338BBC278F986E801001D92DC342FDF92ECC12F0D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....2w..........." .....v...:......................................................[.....`...@......@............... ...................................... G..........8)..........("..T...............................................................H............text...*t.......v.................. ..`.data...a4.......6...x..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...\."...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...A.n.n.o.t.a.t.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17672
                                                                                                                                                                                                                                        Entropy (8bit):6.642694010569177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:m8imyfJe9eGXx44sAcUUWudXWwYA6VFHRN7T2lNbZR9zah6:m8j+nxTFClTsFT9zn
                                                                                                                                                                                                                                        MD5:399D1C1EE94247E9EF6500A017A71C1B
                                                                                                                                                                                                                                        SHA1:822F0321519EB59D625175CBF1A655F2F7699A9A
                                                                                                                                                                                                                                        SHA-256:D6693E0D5F2F24774E991A351F97D740E75A73FAD20295C4E2DDD51D9B65B6BE
                                                                                                                                                                                                                                        SHA-512:F577118238FC96FDACFE23CA6D37AA736CAD858022E20E65D881C7D06648D2D4EBD5E80E8F5B398E95A8F1DCE4B653022D71371AD9C75E514F687DA7359CD6A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................r....`.................................;0..O....@...................)...`......8/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o0......H.......P ..h...........................................................BSJB............v4.0.30319......l...D...#~......L...#Strings............#US.........#GUID.......X...#Blob............T.........3....................................+...............M.p...P.p.....]...........................O.....7.................>.....[...............................9.....p.................W.....W.....W...).W...1.W...9.W...A.W...I.W...Q.W...Y.W...a.W...i.W...q.W...y.W.....W. ...W.....W...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38672
                                                                                                                                                                                                                                        Entropy (8bit):6.487371211774158
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:2IzyrkRPK1c3I484t6gu2FClLsl9zal7pQ:2IzBP8c3z6guiiLs3zarQ
                                                                                                                                                                                                                                        MD5:F81A8E96C4B41133CE2FBA56D63F4C22
                                                                                                                                                                                                                                        SHA1:85849958E58BF6A9FD5BEFDB67FF98842E6466B0
                                                                                                                                                                                                                                        SHA-256:77367BEF47DE9D2DEF9C606906A84D733A1D688BCF7299956828FB54C6A36422
                                                                                                                                                                                                                                        SHA-512:65102174EDF155614F696E1A251A2DD6A69176B61211EC5194067FE203D6B73D91D6A8E6E9D63188DD8A76BAB051E7EB77BEF00D7C569A798E53CD9BF20B1A27
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....%..........." .....b..........................................................T.....`...@......@............... ......................................$...x....n...)..............T...............................................................H............text...Ra.......b.................. ..`.data................d..............@....reloc...............l..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...d.&...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...E.v.e.n.t.B.a.s.e.d.A.s.y.n.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...t.&...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75424
                                                                                                                                                                                                                                        Entropy (8bit):6.41974698596593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:P2sgnMIPQZQmsB2q+mKl/Q3mb1yF0YDC2oKQ15hC9QQs2mDLFClKmoQ9zRhoy:OsgXcmKmWYFlC2oKQsi3iKmVzRh
                                                                                                                                                                                                                                        MD5:596B37F463658FD24CE29F3F25C6628A
                                                                                                                                                                                                                                        SHA1:BE186A42FF6EE13C7F2546C3A7CAA622B4829FA7
                                                                                                                                                                                                                                        SHA-256:9B05AF160EFFCE0A352E0FB722350221A1F2A41010EFF10E769C12C3C28ABF10
                                                                                                                                                                                                                                        SHA-512:B03607DB59376501B6AFF0A0D04FA49B4CD106D9E009D5CBA006C6909A04BAD74FEAACAD0FE40704DA34D1D6AFD34F26D97C8B1090E4B6A177F52CEB5ADD4D54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....A............" ......................................................... ............`...@......@............... .......................................&...........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...P.r.i.m.i.t.i.v.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):747280
                                                                                                                                                                                                                                        Entropy (8bit):6.696052130941475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Yq+dHPXqf5N+iMMturyUV8mIEUGKea0RAh5RNFRSll++KzUmw/BndUMHz6ifKjFW:yv+N+iMMturyU+m6RNFZUmw/BnfT6KK0
                                                                                                                                                                                                                                        MD5:97D87D45E05EAC86E89F33FFB66DD9CC
                                                                                                                                                                                                                                        SHA1:3B29D3210B4A1ABC1D2876599F776950E56C3451
                                                                                                                                                                                                                                        SHA-256:52BE87AB0CD386C0BE9538E44B9D1432BCF28370E98D568CBDAB409C84EC1889
                                                                                                                                                                                                                                        SHA-512:94834AD8ABB9F99E779D1DBF15502CA918B8D89ED83027CBDE5B7C8C15CBAF325286F4C127396E725F4490881D247EC411FD23E6D71C1B1C60A2C83366C18F06
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....._..........." .....n...................................................P......V.....`...@......@............... ..........................................<]...>...)...@..$...8=..T...............................................................H............text....m.......n.................. ..`.data................p..............@....reloc..$....@......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...`.$...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...T.y.p.e.C.o.n.v.e.r.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...p.$...F.i.l.e.D.e.s.c.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18696
                                                                                                                                                                                                                                        Entropy (8bit):6.596746437040324
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LW4X1Wove+Scpij+uCozWEdYA6VFHRN7QHWMR9z2QgW:/RScci4FCl8Z9zzgW
                                                                                                                                                                                                                                        MD5:0C8FF2C70D84FB0202750D8A19E0EC20
                                                                                                                                                                                                                                        SHA1:0BCE9D795D182291948DA212B728CA3476D58F58
                                                                                                                                                                                                                                        SHA-256:651C26058CD4C530458E740923E4CA85F76EEF6FE9E915631678800E9AD7E862
                                                                                                                                                                                                                                        SHA-512:872D7DB41EA2941B9305C6702A18F32E8C3F9EB363E239CA2851D5F9EF7B724BD0D6B034FDEA07419A08CC30B7F8F667F2924E25180126F5CE747EB93C7987EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....*u..........." .........................................................P......B.....`...@......@............... ..........................................`.... ...)...@...... ...T...............................................................H............text............................... ..`.data...N....0......................@....reloc.......@......................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19744
                                                                                                                                                                                                                                        Entropy (8bit):6.575603714433907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aXoWX0yXQB1uXTSv/fvNRvGZYdf3zyP/weZvEydDgWvfNWZUX6HRN799R9zrJRri:1niZvVCcWF9ze
                                                                                                                                                                                                                                        MD5:A559E0096F62D213A900AAF749F08F5D
                                                                                                                                                                                                                                        SHA1:31C37CAAF3F0FA6C6ECE9E3C98E905FFF921AF1C
                                                                                                                                                                                                                                        SHA-256:7B5BD709929BE586FA1B95B7066C3A4AD9B5462FB1F7714BB39E6DDFD3B54148
                                                                                                                                                                                                                                        SHA-512:B9803794E42E984BA841D5A32BE8553FEB9CABED2E59866B35E73D3AF3641FA9D60207F98254BA923F9B9AA902BF08941B545F19310B4596CD097B01F22FBB7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.(..........." ..0..............9... ...@....... ...................................`..................................9..O....@...............$.. )...`.......8..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ......................88......................................BSJB............v4.0.30319......l.......#~......h...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................h.....D...............s.......|...............D.z...............Z.................0.....M.................<............."...,...................v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.....v. ...v.....v...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):156936
                                                                                                                                                                                                                                        Entropy (8bit):6.5995271738923975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:h3J/DYsIem43AYT+a5TfaEPvbKwUJmOaYIEipy50K:X/DyWqaFCGmdIcIEbb
                                                                                                                                                                                                                                        MD5:7710279322A362C928BF36639EFFBF81
                                                                                                                                                                                                                                        SHA1:2B679CA3058DC2A5C90F40D3C1A98C9553098AAC
                                                                                                                                                                                                                                        SHA-256:1842EFE9037300ECE2E81E40EC000FA9338A4C786CBCFED0B47DD05B1C4E77EB
                                                                                                                                                                                                                                        SHA-512:085C7342AECA9F65B9E3774BF2E84AC9D703D66F764678ABC79A1AB8D5F82BE59B50BA97B53303956F2DEB055553B419E91DE8002E8D219FB38AD933EC802ADD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........$...............................................`............`...@......@............... .......................................<.......<...)...P......h...T...............................................................H............text............................... ..`.data........0... ..................@....reloc.......P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24336
                                                                                                                                                                                                                                        Entropy (8bit):6.299107673471786
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/sIbPFWOUSnPEW51b04H9DGMq/tE8aQjryAkxkBm4U1zXtrC1IIKrWXi2WUYA6VJ:/vPFWOUSnP751b04H9DGMq/tE8aQjryz
                                                                                                                                                                                                                                        MD5:9354C7BD9F23D4899200DAAA3BE37296
                                                                                                                                                                                                                                        SHA1:440D5E15680AB4BCCDD656E598A12C8884A56390
                                                                                                                                                                                                                                        SHA-256:25D934AB5109749874D2FC86A356DB68DF98DE7F1A5857E3F2B8744173B1B8D5
                                                                                                                                                                                                                                        SHA-512:3549F0275E7C848EB7E3E3EB7B881C846F73D3F8448C3F5032E10A49A245D7310D3643B6A605A55DA88CC90F3DC6F132A26812A763580B0B36A81B8CC4AC3932
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>............" ..0..,...........J... ...`....... ....................................`.................................CJ..O....`..8............6...)..........tI..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc...8....`......................@..@.reloc...............4..............@..B................wJ......H.......P ...(...................H......................................BSJB............v4.0.30319......l.......#~..........#Strings.....%......#US..%......#GUID....%......#Blob............T.........3............................................................................1.N...c.................y.....0...........].....z...................................K...................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[...y.[.....[. ...[.....[...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2983584
                                                                                                                                                                                                                                        Entropy (8bit):6.807191200324224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:TyNlk2vtvXwQdjfbPQ+EPba92I7aE0Vnv1XgVi4nNmch7cDpBsKTzkt2BeE:T+VdLX3Sv
                                                                                                                                                                                                                                        MD5:E6421C7A5CF51CB5B5706BF00AA01B4F
                                                                                                                                                                                                                                        SHA1:12876E56B267E945FB709D9B5703009872D1A4F7
                                                                                                                                                                                                                                        SHA-256:272042F39223A4445CCCAAE2490C8291CBA723A1C30B61DB7603C218C69216E1
                                                                                                                                                                                                                                        SHA-512:B8597038DEFDD8BC8ED07BF56903E7E85D4B427973C473F60920EE53AB04CBFD7BCA488AFC5B659116BFA62A3B95769A690496A34B95647DA1F1E65E13217E6D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].q..........." .....r+...................................................-......m....`...@......@............... ..................................t...@&...K...^-..(...`-..&......T...........................................................x...H............text...7p+......r+................. ..`.data.........+......t+.............@....reloc...&...`-..(...6-.............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.a.t.a...C.o.m.m.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.668996319122586
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ulguSZJRWaJ7WzX6HRN7nVXC4deR9zVjxMY:TuWQWnVXC4dC9zVjd
                                                                                                                                                                                                                                        MD5:3E2A4F4D06E78AE1F2972A92F475C059
                                                                                                                                                                                                                                        SHA1:7ED79074D8F081398FA9119D20F475EF2A162814
                                                                                                                                                                                                                                        SHA-256:5B509E7AB8FC8FA00C722ABFDDDB37C1BDE182270D9A3030B785751910F3DFB3
                                                                                                                                                                                                                                        SHA-512:9DB1D000C9C5F130BEBF73EB8144495467A3D87165F6C94DBED18D4E709ACDBC787DC42AFA13D859EF70D441F3BDAD9979D96AA356439CBAA4BB8362E7F58ABF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0..............)... ........@.. ....................................`..................................)..O....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ .. ...................P ......................................4..'..E....[..y.].%k.tT.*mT`Gf...#.y..=..1....%_....B_.J.I..C...rq..F..{.v.....r.9~7sMFL..]6..K.iz .I..9 .......|......)|BSJB............v4.0.30319......`...H...#~......X...#Strings............#GUID...........#Blob......................3................................................E...............................:...'.A...i.A.....A...~.A.....A.....A.....A...e.A.....A...........E.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25864
                                                                                                                                                                                                                                        Entropy (8bit):6.25146842792214
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aBaJC9XmGP2SoxDZQj/6YWiXFW5YA6VFHRN7JKdpR9z+pttXEv:awsXmJDZQ7EFCluD9zWjXe
                                                                                                                                                                                                                                        MD5:457D34A9E93C95B0E0927741C43C706F
                                                                                                                                                                                                                                        SHA1:56C5AE9397D703F211CBF109CFC86EA5AE16DFCB
                                                                                                                                                                                                                                        SHA-256:434C2AEAEC2DED6A904FF16256412128FC0FA57DC6B54A1626E8F4558A14646B
                                                                                                                                                                                                                                        SHA-512:DD8759ED49410BB0086638A9101DF294D4A67C56ACC4509B26FC6DC136FE8A194E76747261218EED92E5DCB47365FD91262D1D8D38CA6F47B2B4BACD82E811CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..2...........P... ...`....... ....................................`..................................P..O....`..8............<...)...........O..T............................................ ............... ..H............text....0... ...2.................. ..`.rsrc...8....`.......4..............@..@.reloc...............:..............@..B.................P......H.......P ......................HO......................................BSJB............v4.0.30319......l.......#~......0...#Strings.... ,......#US.$,......#GUID...4,......#Blob............T.........3....................................<.....[...............:.................A...........o...........!...........R.....Z.....w............................... ...........#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.794991722289914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9WxAgNW6i2Wp/X6HRN7AtIJVXC4deR9zVjxX:98m1WQgVXC4dC9zVjF
                                                                                                                                                                                                                                        MD5:E815C8AE914EE40BF8D404FCA79D5753
                                                                                                                                                                                                                                        SHA1:1E754EEC56B0762A99640B3B5537CB6F1FA81AE7
                                                                                                                                                                                                                                        SHA-256:89E4C33A4B7BA60A748A9EA3D5D1413AF0AB63CD29117F159FDCEF5779BD9359
                                                                                                                                                                                                                                        SHA-512:654D7B3AEFA8C29002247DB18807DF777421C94FC8E6ED4C8C013EC5828F142581DE45D2A1132C8D6BE7A2DEEEE2ED0F60F19EC78B94905245E3E5A52D23A67D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........."!..0..............+... ........@.. ....................................`..................................+..W....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................)^.O..(.+sY.R.T...!%s.R...F4}c..X..@..1..sh....}...........e..Enr....F..P..."...N......."l......S..^ zs...R/o..`@..i...h..;BSJB............v4.0.30319......`.......#~......H...#Strings....8.......#GUID...H.......#Blob......................3......................................Z.........9.........................,.....{.........F...........5.............................#.....p.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.771179430350626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:k1b2xx+3kW2SmWypWjA6Kr4PFHnhWgN7agW5IhHssDX01k9z3AGWPsU:5o0W2SmWyYA6VFHRN7gIFDR9z7WP1
                                                                                                                                                                                                                                        MD5:CB70708DCDFC6E40B8D57703AC186C6B
                                                                                                                                                                                                                                        SHA1:EE450F4D1EA1419E80725CF0ADD7CCC0F422285D
                                                                                                                                                                                                                                        SHA-256:0E2F8A41ABB218127967B9B63F7D88B2472AF27776A95F6F616D1E4F0068FB36
                                                                                                                                                                                                                                        SHA-512:35C7BEE29F8D1B1B6825EE4C7EABE4EEB15D9925F204720D22BFB4FE5CBDC7E48D5454E40E14E3D14291ABD69E27C44C4FB2B0CA0FEF5EDC263C1130CE716A0A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$2............"!..0.............n+... ........@.. ..............................p.....`..................................+..W....@...................)...`......`*..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P+......H........ ......................P .........................................Z..}P..).1.:.|..x^s.T:..'(i@.:.~~r(.j1.U.K....e.X.....9K...6...{..N.k~h._.f...U..T*s..en.)G..y/<._...!....}j.< ..\.....fBSJB............v4.0.30319......`...t...#~..........#Strings............#GUID...........#Blob......................3............................................................o...................4.................;...8.;...].;.....;...F.;.....;... .;.....;.....;.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):380576
                                                                                                                                                                                                                                        Entropy (8bit):6.735643509984664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:xNrYIYO/3uqTtasHnkWg62wafPoSVsybyCrEVYEHJ01TxJS:jV3ukBkwoPACrEVtKfE
                                                                                                                                                                                                                                        MD5:FFC6107F4CF962DECA6085FD6D6943E8
                                                                                                                                                                                                                                        SHA1:DA6366AA3DCF4862A4A110BEFF4EE185D64BD5DD
                                                                                                                                                                                                                                        SHA-256:394B562E8F1B4A2D75C86A0CCC26434A9965AE478A81978700A510005A987B81
                                                                                                                                                                                                                                        SHA-512:158D082C2377CFACBCEA79733C6023555B715061004ECE84998A9C5E86B63ED9F451A91946E60EB38FE915C7BEB44534F18FDE8C3FF7AD9E15233AE8743B4955
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...w.B..........." ................................................................8^....`...@......@............... ......................................`....+.......(.......... )..T...............................................................H............text............................... ..`.data....}...0...~..................@....reloc..............................@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .C.l.a.s.s.e.s. .t.h.a.t. .a.l.l.o.w. .y.o.u. .t.o. .d.e.c.o.u.p.l.e. .c.o.d.e. .l.o.g.g.i.n.g. .r.i.c.h. .(.u.n.s.e.r.i.a.l.i.z.a.b.l.e.). .d.i.a.g.n.o.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35600
                                                                                                                                                                                                                                        Entropy (8bit):6.488510148250486
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:tWdVV9WzoyY50a+3ZgW1n6lsLiKqFCM1nTrmowCwZ0oEmLnYA6VFHRN7gFDR9z7Q:0a1pgW9LiKqFCM1n2owXZZlFClkl9zaz
                                                                                                                                                                                                                                        MD5:9A9B46B21F1CC90D9E398AEE76CB831C
                                                                                                                                                                                                                                        SHA1:8BFC832B73D619C6AB4D83CEB563620EAD601A80
                                                                                                                                                                                                                                        SHA-256:62FA26059B49F049A5F3DD63984E2BEC531999B12659713FD9E673A3CDC49FDB
                                                                                                                                                                                                                                        SHA-512:CF15A0AA31DB2525A10A6AAC6DFBF383BF441200BB9C39DCEE4A6BE690434EA3C061D9870A39B9F3AC190952FB61C1859D856784F9A43249A0338FB737C9A787
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...tO............" .....X................................................................`...@......@............... ..................................t...8........b...)......T.......T...........................................................x...H............text....W.......X.................. ..`.data........p.......Z..............@....reloc..T............`..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):290568
                                                                                                                                                                                                                                        Entropy (8bit):6.6831877089166865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jzvmR+TsVz/xZOkeijuG3yxs9b3NX1PkxBqqS7s03sx5Z+:jzeQTsVz/xjXjuGCjDr03sx5I
                                                                                                                                                                                                                                        MD5:29C2F7BBC8B17C8787ABB4D7EDC11DC6
                                                                                                                                                                                                                                        SHA1:79A2F9ABB8F4FED3A75962E21A8A0064F4633DB3
                                                                                                                                                                                                                                        SHA-256:B5AD22BF61562E5335CAB0D16233485F1E01B21556EEFA2F47E1C3E8FD5F6BF2
                                                                                                                                                                                                                                        SHA-512:A9C9EBBD52A4CF5C52D94F3810E21899C931BACE4C20B2923D26193F319BB07E23DDEF26B759EA45D31BAB9913421A99A772CA55918FAB4172C350BF605A96AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....V............" .........P...............................................p......*q....`...@......@............... ..................................D....m...!...F...)...`......@&..T...........................................................H...H............text............................... ..`.data....H.......J..................@....reloc.......`.......@..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):36616
                                                                                                                                                                                                                                        Entropy (8bit):6.537255863264118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:yt4gYfq6ejoniqkwx38n9Is/mjSTsssssssss4FCl3MFT9zC:yLYfq6ejoniqjx38n9IbjSzi8TzC
                                                                                                                                                                                                                                        MD5:C192A6B88DCA4AFD2A042C79A68155CC
                                                                                                                                                                                                                                        SHA1:B13A8B843D0735377C6A127565721019E54365D9
                                                                                                                                                                                                                                        SHA-256:27DD8C3DC2F22B40CFA443FC7B9A33520CEEC581A158042E9DD2451507A58105
                                                                                                                                                                                                                                        SHA-512:85B8E16B9BED456735B422FE726FFA1D3AC7FF5718F017E60829E3245DC1F454F077976E1140B168BC0D261D94B0636A2B4BC9918BBEB486B8A388BF0108E9F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....d..........." .....Z.......................................................... .....`...@......@............... ...............................................f...)..............T...............................................................H............text....X.......Z.................. ..`.data...~....p.......\..............@....reloc...............d..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...S.t.a.c.k.T.r.a.c.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60688
                                                                                                                                                                                                                                        Entropy (8bit):6.543709261391772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:HeWtDQZ7Fa+dddvw3hfgBsUbmoSNI8QUQXECIDoFI0yFjONFClrl9zs9:+DFaKddOtJI8GvJOHYir3zs9
                                                                                                                                                                                                                                        MD5:DEA179B29697ECAA3FA3199ECF9AC997
                                                                                                                                                                                                                                        SHA1:8AA7795711ECE9BDCC1A57CC548A7585FBD644B2
                                                                                                                                                                                                                                        SHA-256:583A5581861E0511ED7B0E2EAC14B4298B05C3E1FAEFD65318C6EDC78C4265F0
                                                                                                                                                                                                                                        SHA-512:B2CE8996D1A554A8D20BD45B2AFF84D29EC012963CB4F5EC2DFB09C6BD12F07BB46CB03F657EB4FCA47A8AE21A4ECC0CEE33367A9F183A6828291A07D07DC1D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...^..........." ................................................................3G....`...@......@............... ..................................4....'..8........)......$.......T...........................................................8...H............text............................... ..`.data...7...........................@....reloc..$...........................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...n.+...C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.e.x.t.W.r.i.t.e.r.T.r.a.c.e.L.i.s.t.e.n.e.r.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...~.+...F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.6902230677661985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oyVTAixxeH/WQcUWyRpWjA6Kr4PFHnhWgN7aIWZBzDoSJj+iX01k9z3AmCNGuY:Nco8H/WQcUWGYA6VFHRN7oDX+iR9zZgY
                                                                                                                                                                                                                                        MD5:8E4C6E5CE84FBC5DAEE123ACD66AFF89
                                                                                                                                                                                                                                        SHA1:3729A072623C64EB9C68DAF3EB8B982990A686AE
                                                                                                                                                                                                                                        SHA-256:DEFFF523549F8128A9B5ADBAA175BB186748A1DE7D3B1DD4200C0C4FF9E8257D
                                                                                                                                                                                                                                        SHA-512:3FF7B996FD7F1C7D230F39683847FC6D1842E844B517397284D9EF2E453739E49CC75BF6A039A073C23224BB9A54798396CA98C6CFBCCC1210BE71EFAE5177B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............"!..0..............*... ........@.. ..............................'W....`..................................)..K....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..L...................P ........................................Y.%"...%Do}....$fYdO.V'1Ag.C..d.bx..1y4.,.F...<...m..)%.?.t...r.|;.i.~.M8p.....1D.|......x.O..b.H_............N..... .T.;BSJB............v4.0.30319......`.......#~..H...H...#Strings............#GUID...........#Blob......................3......................................Z.........s.........................,.....w...N.....F.....0.~...!.~.....~.....~.....~.....~.....~.....~.....~.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):133416
                                                                                                                                                                                                                                        Entropy (8bit):6.551188165832685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:bHjrVA3Ua/8lVkCAnPL0FlgsMzj2OE20esM9eVriqRIL8dXmty6lH4ziWzD:bvV7a0bg4F+sAaj2SM9eVriE2ty6B+NH
                                                                                                                                                                                                                                        MD5:AFB7C185FC983D0533BD729B121CB108
                                                                                                                                                                                                                                        SHA1:6FA0484D54708288F94AA6FB0AD6BE3D5F208656
                                                                                                                                                                                                                                        SHA-256:61C7903D1CDA2298112BCD7A0F57F1F76548A09CE7C1DEFE8D65A6B42268B4C5
                                                                                                                                                                                                                                        SHA-512:7380FBF5935FC2579E84923378A3EFA2C3D8F6E4954FF9F5D8007663B55ED33E81FE05A059A5E35A240A501BC298338FCAD885A579C78CD799CFABE47BC1D040
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................k.....`...@......@............... ......................................L@..........()..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.r.a.c.e.S.o.u.r.c.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.721684126311085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:X75g6pDj+ymxxdZWbBDWOpWjA6Kr4PFHnhWgN7acWJtZQcADB6ZX01k9z3Atyi:X/+yM3ZWbBDWOYA6VFHRN72WcTR9z6yi
                                                                                                                                                                                                                                        MD5:1C693E6B4C17658F2E2F81F245D81F53
                                                                                                                                                                                                                                        SHA1:C9E2D650B90D0B19642CAC32C07251E4A6443073
                                                                                                                                                                                                                                        SHA-256:ED823EA98320410EC6675FCB555FA34EE295081A3D7653D6CF10E5424E7F2459
                                                                                                                                                                                                                                        SHA-512:58600DF3D1B5B1DA028D4B8EEDC06C953DB6B940F2B9B32EDA6134B50515D7A9C3EC3B47D230FEDED12D0B3F2B6159B9EDE1CD50A880444C562B439C8E3EF82A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....V..........."!..0.............>-... ........@.. ....................................`..................................,..S....@...................)...`......0,..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H........ ..`...................P ......................................irj.gz...a..0.*.u...3(]a.f'..Drt-.\.R......X..S....z.Y.....t2...x.X..D..7.V\.R'....,.c...m_X.n.....7..B.w.z....D...B.5BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................ .....................].........................................m.....q.....D...........P...........*...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):130312
                                                                                                                                                                                                                                        Entropy (8bit):6.3785881753390115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:b21fgY6c2/Pwp2Hj/ygb4xfHIKHnT6IdI0WkHLbjypy6hKl:y1fwyyzKHm+ljrkc
                                                                                                                                                                                                                                        MD5:0D17F379D5E18424C1CDBA037DFE8E02
                                                                                                                                                                                                                                        SHA1:F1D1FF0FD4E3A32AF9E7A2B0EB3D0FEC4586B185
                                                                                                                                                                                                                                        SHA-256:AE4D4D0A9018A3BEE1D1AAADE35872840223B6EA80F42F9ABC8CD94D0173582E
                                                                                                                                                                                                                                        SHA-512:8476EA5D21925EAC7007A0C0F48E3AB95D37B4E1C501FC321ACC41BC0D8E5FF59293EB6AB54314797759AF48997C21204BDE91014BF8C7F553F79471BAF6BC73
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.g..........." .................................................................S....`...@......@............... ..................................8....0...........)......,.......T...........................................................8...H............text...f........................... ..`.data...f...........................@....reloc..,...........................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21256
                                                                                                                                                                                                                                        Entropy (8bit):6.399232557439348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GgyLzP7uC8sYITetzP974PbXWx/tWbYA6VFHRN7PRxB+R9zPdq:Ggy7QRN2FClPRxw9zs
                                                                                                                                                                                                                                        MD5:E71CD9814EAF71614068C87F69221ECD
                                                                                                                                                                                                                                        SHA1:28F617B40E91E60744B9259C5F9CC52F4803EAC0
                                                                                                                                                                                                                                        SHA-256:493CA897860F0B3698041A562A6BA871BA69AE9B2120856AD98A99BF98B9EC8A
                                                                                                                                                                                                                                        SHA-512:BA3205DE3FD4DBE702E088BD93B5F5CA3EB022E29775C7C5A8A20D0C416407889E4E3DD6E28BA63E7537702A2CA4329DC56F64B6CED7D93EA2BB724592DDDC38
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.. ...........>... ...@....... ..............................I+....`.................................}>..O....@..X............*...)...`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc...X....@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ......................(=......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID.......H...#Blob............T.........3..................................................................m...........#...............d.....x...........W...................................;.....~.[.......................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.....V. ...V.....V...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.682833908003748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OGMeH1jyMWsmCWpYA6VFHRN7YpjNbZR9zahO:D1SFFClWjFT9z3
                                                                                                                                                                                                                                        MD5:0B5B4A265DF1687CD6CE5A5C0C2B257F
                                                                                                                                                                                                                                        SHA1:FD358CEDBDC44A8635831A27BF201E557564EC4B
                                                                                                                                                                                                                                        SHA-256:1CBD5B22FE6CC0701B8C0A8BDE7D47C9E98FF36F878D7AB21EF6DCC2E07031E7
                                                                                                                                                                                                                                        SHA-512:8764648F88EB51273A25C46E4F87E41DE3F544F56510670D1AA7C10A1393E9B647813AEDD177A7A4D0BEAEF446A7DBF20E00F884071BA4CA08A7861204D739EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............"!..0..............,... ........@.. ...............................e....`.................................\,..O....@...................)...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........ ......................P ......................................u6.R6.;..$..y..3+L.,..q?-C+&Mw,me...z.....%.~...L..>.W...5.m.6........h..u.C.W....5..B..[...... ...5.;..........?B|c:c.AqBSJB............v4.0.30319......`...P...#~..........#Strings....0.......#GUID...@.......#Blob......................3......................................>.........W...............................Y...9.r...j.r.....r.....r.....r.....r.....r...w.r.....r...........#.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200456
                                                                                                                                                                                                                                        Entropy (8bit):6.678151949832614
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vfjQgR2Iits3cbSjp74Cmwkv9Rc5ff3MAdI:vfUy27tScbSjp74CmwTvM0I
                                                                                                                                                                                                                                        MD5:0F50B814E03E5D788050A64A02E79186
                                                                                                                                                                                                                                        SHA1:F4784DE5C05420D20962911E8A9C25BF4A5472EC
                                                                                                                                                                                                                                        SHA-256:62EE5698F9DD0429111B6E206E681774A9A61B89DE860632BA1F1E669E2B4B67
                                                                                                                                                                                                                                        SHA-512:1509426BD27ED3722FF8AAE7BED13FA4BF0DD51211ADE6CA7EF564782952E2A7A4DE3365253A0EB59CD66604D6689F4055AA7977F4E3792188A74316048671DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r............" .........(......................................................e.....`...@......@............... ......................................XO...........)........... ..T...............................................................H............text............................... ..`.data...1".......$..................@....reloc..............................@..B............................................0...........................H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...j.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .c.l.a.s.s.e.s. .t.h.a.t. .c.a.n. .r.e.a.d. .a.n.d. .w.r.i.t.e. .t.h.e. .A.S.N...1. .B.E.R.,. .C.E.R.,. .a.n.d. .D.E.R. .d.a.t.a. .f.o.r.m.a.t.s...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16168
                                                                                                                                                                                                                                        Entropy (8bit):6.800001141845772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bas74RqXWDRq4PRqm0Rq7WAYA6VFHRN7rJsYlORR9zP9pv/:1OqKqaqmuqfFClrJDK9zb/
                                                                                                                                                                                                                                        MD5:60EC046F6E006115F5E0F69349B66976
                                                                                                                                                                                                                                        SHA1:47579FAE1C87A132AAD35A7BFB00C34B03ACC3EF
                                                                                                                                                                                                                                        SHA-256:CA6A9C3A0F8F9A2F7310326F5B14BE7BAF5A317AD600A0516A5AF0C49D29C803
                                                                                                                                                                                                                                        SHA-512:A74BA829A1CDF6B32013C3572591E1AAB8D48998B97DA73E4225DA0DE9D2CBAC91D3B51951C2856E1F940639D4A398F48D6CCA0CD62AAAC8713899161997368E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n............"!..0..............+... ........@.. ...............................#....`..................................+..W....@..................()...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................=.c'm'"0N(..|..{Z.%.3..P.G.*^...QO}....e3.W.r...............10N.g.y.j.lZ.Q.EBCI.d...i.6..K.....l<lG..Az.U]m.$...[d...G..x.BSJB............v4.0.30319......`.......#~......$...#Strings....0.......#GUID...@.......#Blob......................3................................................"...........;...........f.......,.................H...!.H.....H...[.H.....H.....H.....H...B.H...O.H...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.829197730895101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PluRPWYRgcRp0RjW2X6HRN7wnipR9z+pt9Pa5:PaNVpupWwiD9zWnPa5
                                                                                                                                                                                                                                        MD5:6687C41093EC1E800065E8B9F519C85C
                                                                                                                                                                                                                                        SHA1:A1C75BF69C5229431DAB32AD6CAE238F5C23BC89
                                                                                                                                                                                                                                        SHA-256:727FCC0B9C7F2C8E442B79CB27DDFA0F77C988A3ABCAC1D8AC54B8B5D13FA2FD
                                                                                                                                                                                                                                        SHA-512:C85864BC5DC84D611A2F72AABAF46EB4711F824ECCA6303268C87DA702B3584D7B882C55A16824FDAD5D04F5AE91DD82461B52D1A4767B56362C18B746EB3932
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B^c..........."!..0..............)... ........@.. ...............................s....`.................................h)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................l./%..d...w.Ah3C....O.*.~.[....I+.....e.....S6|....q......m.Uo.....X4...Lt...{f[^X|I..o.. K.].m-...~.D......V......1aVEJ.M.3,<BSJB............v4.0.30319......`.......#~..@.......#Strings....$.......#GUID...4.......#Blob......................3..................................................P.....P...3.=...p.....^.....a.......%.....%...w.%.....%.....%...w.%.....%.....%...G.%...I.P.................7.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.722888698554338
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:amQ/APRLWdRMxRA0RHWDSYA6VFHRN7ht1t6R9z7UK9:amQ/k00AupFClht1t29zgQ
                                                                                                                                                                                                                                        MD5:8122E1A69A6500E33056AE1556B83C1A
                                                                                                                                                                                                                                        SHA1:F10E765E55F79FE056B8E0B74C3DD1A04351CFCF
                                                                                                                                                                                                                                        SHA-256:71B712F484C595CEE326A040C8868D11EBB8A28F8E10F58579E76C6B056ED6E7
                                                                                                                                                                                                                                        SHA-512:B1568DC386ACD6C1CB8C5867CADDEE680C228F04A09EFD7616C712F5B2D00EA837F90BDEA28E326750BF6AC5BA639181FCAB73AFF9C2EF73986B9A30D404FBB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w............."!..0..............+... ........@.. ....................................`..................................*..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P .......................................7.)n..a.&.3..... ..]tM.%:.....:%.[....F.5-.....M...L[...F.k=........FZQ.e...Xx~........*.k...LPw......T\.o.{9...+=1AB.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................).........3.K.....K...L.....k.....w.......B.....,.....,.....^...2.^.....^...l.^.....^.....^.....^...S.^...`.^.....K...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72968
                                                                                                                                                                                                                                        Entropy (8bit):6.528958006044264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:alBKjElqr5dSOyXb23tCZrEp8RvVifTzb:ab4ElW5zyXb238rjViTf
                                                                                                                                                                                                                                        MD5:AA9B333FA47EABC7D9EAFE6FE7A263FC
                                                                                                                                                                                                                                        SHA1:22C6E5092A6D596737A5398F70F98503B4AA14EC
                                                                                                                                                                                                                                        SHA-256:11C5A8B74E363109C89697BDCAE2EC3A3AE6408FF42D502862E8A7B95E5265A2
                                                                                                                                                                                                                                        SHA-512:22BF2ABFDEA1FACE270E806931CD81EE174F585B59EC2E9D5478D4FDFFEBF3C6F84D8D9B0C47F1A4A833FDCBE4738596C72EC5A3B7A4B0DA7D2EF008920AD460
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....}..........." ......................................................... ......}.....`...@......@............... ..................................P...<)...........)......l.......T...........................................................P...H............text...D........................... ..`.data...............................@....reloc..l...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.724449548328205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GOPrezAaWuCmWJpWjA6Kr4PFHnhWgN7acWFv9O4x6RMySX01k9z3Ahts/a:TPcAaWuCmWJYA6VFHRN7Mv9OHMR9z2h
                                                                                                                                                                                                                                        MD5:1A86FF69F935493E236CE382FE70715A
                                                                                                                                                                                                                                        SHA1:BB0A289B47E157FFE16ECC0BF4360E1800616CCC
                                                                                                                                                                                                                                        SHA-256:9AFBD90627BA2A53C73D12C44DA02342899395CA847B0FAA169304C9267F8C2D
                                                                                                                                                                                                                                        SHA-512:0573D7D99D1735F7101F0F80D50126673A8EAA9EF9DA685489BA7F62F9455080CB7E02731960CCE94B9A88DD41A973E9773E87E49B3475372D7E50E5A1E451D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+............." ..0..............*... ...@....... ....................................`.................................9*..O....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................m*......H.......P ..p....................(......................................BSJB............v4.0.30319......l.......#~..t... ...#Strings............#US.........#GUID...........#Blob............T.........3....................................................I...........k...................[...+.....7...................................i...........x...........Q.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):826128
                                                                                                                                                                                                                                        Entropy (8bit):6.112403183100119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:CJhYe83Gfyv7vrkasX8LZ6dA9NWYIAHhlyR8ZXTw05nmZfRK1o:IYXv7vr5dx9IAniAmZfREo
                                                                                                                                                                                                                                        MD5:83183EED671A225CACCC6335313D2179
                                                                                                                                                                                                                                        SHA1:9A11A9790E64443DE2C26EB52DFC6BD6C74F1558
                                                                                                                                                                                                                                        SHA-256:A0BF4ADBFFCDA63F954F8F5564EC53946AFCEEAA69506F17AE5DB214472C5500
                                                                                                                                                                                                                                        SHA-512:B2871B9DA5D2EF390EF9297D6052EA809EFE4EDEEFAAF53221B029C93C064FFB2E3499F2A8A827A8B0A0C40A441627AA4B7485C72B082F5BBAF13F5BC9E4F193
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.ORn.!.n.!.n.!.g...b.!... .m.!.n. ./.!.<.$.q.!.<.%.d.!.<.".f.!...).@.!...!.o.!.....o.!...#.o.!.Richn.!.........PE..d......f.........." ......................................................................`A.........................................V..<...<Y..x.......h....p.......r...)...........&..p...........................0'..8............................................text............................... ..`.rdata..._.......`..................@..@.data...,....`.......H..............@....pdata.......p.......L..............@..@_RDATA...............j..............@..@.rsrc...h............l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39688
                                                                                                                                                                                                                                        Entropy (8bit):6.509096272626782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0WPIIWzAp7Xgjg1al2Yd5zDN2g47XCIYUvsWIXpuJFH9CEUoGdqtHfSBGU0ypu+H:+OwDf4gMCUUjgsEUtcGpXvFClVRxw9zf
                                                                                                                                                                                                                                        MD5:B9C3C7F050ADF5D8AB365AB6D3587286
                                                                                                                                                                                                                                        SHA1:0FF43EDC2E21828E491CD662B379A7F69FD5C016
                                                                                                                                                                                                                                        SHA-256:25EACA54AA1CDF58C6EDF379C6F61674C968DB982E56CBF5072576E058B679A3
                                                                                                                                                                                                                                        SHA-512:54780E0040B03CB1783F8FB8177AB57F3C1E70D1279B3B4C40E9E84F291309F7DDDFF2893F11652DEBAA68FA7CE5EFFBCAB6A43198A967408D777D5E809F39C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............" .....d..........................................................2.....`...@......@............... ..................................P.......4....r...)..............T...........................................................P...H............text....b.......d.................. ..`.data...e............f..............@....reloc...............p..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):267056
                                                                                                                                                                                                                                        Entropy (8bit):6.676156102505666
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:pPlVaqxaMRqarRTaoJLaT2uPhMSt3JiTHqE0F8LVq/GMjya953xieUbwn+3cCEqC:j0eD8xwgiTzVqXtpIMV/cOVjKGb
                                                                                                                                                                                                                                        MD5:649DBDC92B5DBD1607A1F6B650BEC02C
                                                                                                                                                                                                                                        SHA1:F41CEF14036CE1B578720F43F646D24B09E74DA5
                                                                                                                                                                                                                                        SHA-256:732AADE5AC1542E66ACA020BDC2C8BFDBCEC21168F7B347F88A844315713AA8F
                                                                                                                                                                                                                                        SHA-512:2C8D70EF32E5840276A1EBE3215FB6FDFDFEFDDEBF392970578F1C9B2AE33B100980BBDA639A51769CAA07A3046E22DF1D6CD9DFE6A0E10F83F0A0941CAD740D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...).1..........." .........@......................................................&.....`...@......@............... .................................. ....j..T.......0)......@... '..T........................................................... ...H............text...1........................... ..`.data....8.......:..................@....reloc..@...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93960
                                                                                                                                                                                                                                        Entropy (8bit):6.568373020345826
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QaWBXrBsyesUkP3IYoXxs6+gvXYqFBigvfL4iuz0:QdBXr2yrIjo4CCT4BQ
                                                                                                                                                                                                                                        MD5:6F62AB0BC69B1115DB7EA79AC22B249F
                                                                                                                                                                                                                                        SHA1:DF95F07D55F58EBE9323F7F3CB4C53B4A4E16D28
                                                                                                                                                                                                                                        SHA-256:388D827290273301ECE6A797E2021238675BBDB424C520F4CF922C5420F4B9B7
                                                                                                                                                                                                                                        SHA-512:9AC0230B59FE22C30B381A294CC3C4B8FB43FB17268C810172CE2B35337467F4A0501C7DAE3C140FA37465ABCAD2D830C6D63F1A278ABBFAF2ADAB315F024E5C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....`..........." .....(...................................................p.......>....`...@......@............... ..................................t...T/.......F...)...`......H...T...........................................................x...H............text...w&.......(.................. ..`.data........@.......*..............@....reloc.......`.......B..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42784
                                                                                                                                                                                                                                        Entropy (8bit):6.444572054452613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9WUWyWquDVCHWl2Yd5zwNirXKT2JoYuchKG46JdicX+zu6CVy1/8K4Y5eHs+dLiq:ovf/mv36JwcXKLkK4YoSL1W9U9zG
                                                                                                                                                                                                                                        MD5:467F13402BC600AE9872E7A82D891D1A
                                                                                                                                                                                                                                        SHA1:837E11B9B7C67B617538958267849DBC3B080EF1
                                                                                                                                                                                                                                        SHA-256:B26AEB1B48380512658550F2BE2C196C46F067FA5014E5C0693A289243364D4D
                                                                                                                                                                                                                                        SHA-512:2440286517E87F5D93446271C5B10AD53C1E7EC21E5C59B067392A6935E5CDA73F5750398859BCBB204511025C4D5633E3BA9220FFFDA31D2EB0683217508126
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}=............" .....p..........................................................I.....`...@......@............... ..................................\............~.. )..............T...........................................................`...H............text....n.......p.................. ..`.data...s............r..............@....reloc...............|..............@..B............................................0.......................L.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........d.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...@.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.8279746301481845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:QdhYqx9jW/uqWjpWjA6Kr4PFHnhWgN7agWirdIhHssDX01k9z3AGWym+:QdJ9jW/uqWjYA6VFHRN7FriFDR9z7Wa
                                                                                                                                                                                                                                        MD5:6334DFF8984928C204C051F8BB212F73
                                                                                                                                                                                                                                        SHA1:2C64DDA4206516603475EC7AD9539312F8019666
                                                                                                                                                                                                                                        SHA-256:EEA42A0A145C32604C595A6A0A1AA1221AF7C5FF78F4F68C5A274A6239A1A834
                                                                                                                                                                                                                                        SHA-512:443A2AEAAE4E5F74DA8B41F1C6EF8E6C653E07B1238516650DB835298850D44DB87EB55C8A71A8EB90CEDDEA3C2B81A6F3655FF4C1FDAE7B72FE6C9CF48B61F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!C............"!..0..............)... ........@.. ....................................`.................................`)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................E....(r...;.=:|..~P...m.'...tAI.y.#.;......k.....l..........T.G.R.!.a.....#.-...D.2.:X.5.ku.|.[.9W.......v.(L..6.....j;..\BSJB............v4.0.30319......`.......#~..L.......#Strings............#GUID...,.......#Blob......................3................................................!.J.....J..._.7...j.......................E...........Z.......................A.....s.....u.J.................1.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72456
                                                                                                                                                                                                                                        Entropy (8bit):6.538568534245824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rFuxG26GxE6ILBZ2ds7lgIdVI0bWG5izpzWeA:rkxpVWlZh7lR7I0bp5+pyeA
                                                                                                                                                                                                                                        MD5:6856A5853399F7C86959542D4ABE32D1
                                                                                                                                                                                                                                        SHA1:9AA4CE1651EAA297E15AA9F8F784B94D606242E5
                                                                                                                                                                                                                                        SHA-256:A101BBC1337F65C6BE09AC88854029AFBE9469528B659C92CC32BAE1CAC1BE36
                                                                                                                                                                                                                                        SHA-512:C5B66CEA3FA103FC05E0A58F6F5D8B4C2B12AC11ED32FB873C1F4C90D35F49B508BA28F87A9AE85758A20151C8A5D7CB6575FD3BD6AC0702272F2E8F8C399047
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....A..........." ......................................................... ............`...@......@............... ..................................P...d(...........)......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24328
                                                                                                                                                                                                                                        Entropy (8bit):6.349400167788197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wz5aPWc+mFnJ85Zu+m2sqjd5z5nNkch2LthOWyy2WQYA6VFHRN7i2R9zza+AsT:wIP7Fn8dPfVqekFYFCliK9zMS
                                                                                                                                                                                                                                        MD5:A45852ED049BBB2BBC5036E3909FCB7D
                                                                                                                                                                                                                                        SHA1:93A8FBFD22D84182944949C1619AD1181CD339EE
                                                                                                                                                                                                                                        SHA-256:9EF524A46534029C549509E464CD5893E32FBDE5EF29BD00AA2020AA5C5CA7FC
                                                                                                                                                                                                                                        SHA-512:058CC5F00A6965DFE2F650B7D4FDFA41F53ECA95C1BD7DD3F0A0113D8DA7C643FA0D41AD4F86F51AB4BBB7486485E08064F2CDED437652170F597BDF143EFDF0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f./..........."!..0..,..........NJ... ........@.. ....................................`..................................I..S....`...............6...)..........LI..8............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................0J......H.......h?..............P .......>.....................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....9.......PADPADP..7../...........S.t...p..T...3.2...0.J.M.*.=.0....bAA. .e......"....N..~..s...@].Sew.s.t.7.4...5.......x..........]..Q~........#n..'.<.+2]./...0...2.W.4...4>..5q..:...>(.3OL"PP^..V~..VV..eRaDf.3.f7..f..fj.Hpj.1.j..&u

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):83720
                                                                                                                                                                                                                                        Entropy (8bit):6.496857838837457
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:o8cy0w9JvivZVauxGHUopdNeU+Mf36HZMV8cidIzN:om9JviyuxGHUopdNeuf36HKqcV5
                                                                                                                                                                                                                                        MD5:3B2A12A984CE0BF13D5456E2A1A8B7E1
                                                                                                                                                                                                                                        SHA1:9AFF09FBE28F6229A568EFE481649427B9E940EF
                                                                                                                                                                                                                                        SHA-256:E93461BD9BB50625F8EDB92B80747C73BBCE2012058E8ED18CB80ED5BE0C8C4E
                                                                                                                                                                                                                                        SHA-512:94331602911AB39A5EC816562F5D29B7982B180FA7A88C752C4E58B5E95281F94B97BF95E33CA6643977EB4F4D88F4BC153E1FBA10FB460803636EE93D134B04
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....H..........." .........................................................P............`...@......@............... ..................................8....,...........)...@..........T...........................................................8...H............text............................... ..`.data...}.... ......................@....reloc.......@......................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69392
                                                                                                                                                                                                                                        Entropy (8bit):6.416282203605119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6q4zbv1VnpSetYSxycVFidKg0WWcnic23zc:6jv1SetYMXVMdKg0WWm634
                                                                                                                                                                                                                                        MD5:A28A3AA833134E59F793389AFF65DA55
                                                                                                                                                                                                                                        SHA1:5ECE44F0ECC710BA0732633B7078A70867936964
                                                                                                                                                                                                                                        SHA-256:C9774E7FB725A7517BCC758832F2FC3046EECC5DC05656757BF3E6B555340289
                                                                                                                                                                                                                                        SHA-512:3DF973C8247E2E1277679F9C6F2FB8DF0B8536BCE073455E3AB858D2F5674E7A49E6D0C90953AAC09480859D72373CA750CB6A094AEC8656CB5D151D305C721D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...N............" ......................................................................`...@......@............... ..................................D...@%...........)..............T...........................................................H...H............text............................... ..`.data...h...........................@....reloc..............................@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.796773675745742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qhedWmW+lPWp2YA6VFHRN7IP2IR9zo+CK:qhGl/FClfU9zwK
                                                                                                                                                                                                                                        MD5:6CA91D68B229B7FB22BAF4CD90E3B6DF
                                                                                                                                                                                                                                        SHA1:5992816675CDF4A308AE3ED4B067333E2A6136DD
                                                                                                                                                                                                                                        SHA-256:457210C9BEE0BC23BB939A0C066648A1BF644EFC2E688CD5B9A34A0887E8B9D7
                                                                                                                                                                                                                                        SHA-512:BC229BE933AA3AC268A1DB6F3D72BBBFEE17132D9E219A811D191FF119F127E3640B26CF00913716CE431BE17314D2F5300A4FB55C9709E7A91DDF4B6C6838A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H............."!..0..............-... ........@.. ...............................d....`.................................4-..W....@..T................)...`......p,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................p-......H........"..............P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136456
                                                                                                                                                                                                                                        Entropy (8bit):6.505276293770358
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Tesr1AT4UdLwfR0CogtN6gQTveCMi0eZemClyk87hv/d4:dAk0EtMgCWS0tev/W
                                                                                                                                                                                                                                        MD5:9B7CB60F3687BB167C364027C69BE75F
                                                                                                                                                                                                                                        SHA1:F7D769F90F6FD22C121068CEC9AEC982CDB8511E
                                                                                                                                                                                                                                        SHA-256:ED9A1BFEC6B09CDDE2BB9FD7360C317A8FA536A39A211C649BC09324F6230455
                                                                                                                                                                                                                                        SHA-512:8428475F090AC092B2F97A824FA37AC21CE033C879CA082C93C3A127AE9086851997691CBFA85C232E96401D7347C2C075078A1A61DDEEF02D9A6AC095BFC776
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........(............................................... ......@H....`...@......@............... ......................................H;...........)..............T...............................................................H............text............................... ..`.data....".......$..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.835129073107362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pRHaXwxxx0SsWj6+WCpWjA6Kr4PFHnhWgN7agWtu8RwX01k9z3AeJR42Z1Of:4wb+ZWj6+WCYA6VFHRN7n9R9zrJRLZ1u
                                                                                                                                                                                                                                        MD5:255A63BB93AC8BEE021387B56A829104
                                                                                                                                                                                                                                        SHA1:B2BA88675BE4E005FB696ADEF5E99ADF2DEFAF47
                                                                                                                                                                                                                                        SHA-256:AAC0BCE431DE0D833394371359AE5BDD94B369C77733AA078B2EFAACDFCCCB2F
                                                                                                                                                                                                                                        SHA-512:3BB01D1F576C03895B0AA235624EC5B868EAF91621F997018A8F6EFBF469FD930AB548B4F1450D2B4AA543388BA4B9645284CBD2BEF0F39370341E911E1919A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\..........."!..0..............)... ........@.. ....................................`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................Q..].i...........k;.!..)zw.V....0/(J......$L.....1i.A.+..D5.....G.|.&.c.va7.c..6L..!R......N..3...........RO........D....#BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.684716827535747
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5bn83gY2W25bWXYA6VFHRN7Mm2R9zza+Qjb:1ndlcFClDK9zM/
                                                                                                                                                                                                                                        MD5:CCA0BFF7447B36C3585BD58E7331553C
                                                                                                                                                                                                                                        SHA1:60F98F8F0E64CC99C3870ACDF6853305E95DB2D7
                                                                                                                                                                                                                                        SHA-256:B772B9323E9E0C1B1E30FADC067A972132A434DA35B7FBF94F83E3DFD7D18F5C
                                                                                                                                                                                                                                        SHA-512:640926BB6951D915F40372A4FA8F200304EA040ED6D066D9EBFF06C104AFEF52091CEA415574A20168B0F90EBB8C60E491E11DA311ACCCA4DCC16DF3F426B20A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j............"!..0.............~*... ........@.. ..............................7-....`.................................0*..K....@..(................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ......................................P....].&`..9.wl....R....k.SI}iK.N. ..h...1F......4.Y....eI9.......i.;.L.hN...a.G....w6..0....Q.#...8. {.%....2Eh>8i]...aBSJB............v4.0.30319......`.......#~......8...#Strings....,.......#GUID...<.......#Blob......................3............................................................=.....).....h.....k...........#...........8.............................Q.....S.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3857168
                                                                                                                                                                                                                                        Entropy (8bit):6.688507729288586
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:NcJRCkV0qWhSxCKB+GuuYKfM21hDPX7dRVLTeeYjGt553P77zbr7jrgrr+69NHX6:GJRCBhSzBpzfl1mja52rr+ANHXUZ
                                                                                                                                                                                                                                        MD5:41FA254B55E24CEBCACF5076FC3029A5
                                                                                                                                                                                                                                        SHA1:772DF03395D545DCAD32AF8F842FBB5BC1D208F8
                                                                                                                                                                                                                                        SHA-256:5FF8E5B5DE3AA34EC78E7242B4A79031C8193708DF7D558BAB940BC7AB9BF44F
                                                                                                                                                                                                                                        SHA-512:0DA185EE166679EE8F984D6319EB775C23E047FC064D42FB753B756464F95E336FFEF2537DEA09AEF2350F48C16CE1699A038C6E6EB4520A4492CF6A7E537B20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....k..........." .....F4..j................................................:.......;...`...@......@............... .......................................(........:..)...p:..b...w..T...............................................................H............text...(E4......F4................. ..`.data........`4......H4.............@....reloc...b...p:..d...N:.............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...E.x.p.r.e.s.s.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):848680
                                                                                                                                                                                                                                        Entropy (8bit):6.7973776393266006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:gTwW686EirtG6ywFx+6iYr9MRNAj14rjc6HqsXOnJcRVaeTz6tFe+sSc:gerswFx+6iUl4d+JcRpkFe+S
                                                                                                                                                                                                                                        MD5:E2CB15F2999A77A88DD9387E291F5642
                                                                                                                                                                                                                                        SHA1:8471EB6244175E636C8F8725E194955F046A8C38
                                                                                                                                                                                                                                        SHA-256:F025EBA4ACCD76656B7FC7ACFA35A2DA5FC22C03003EDFDC7769343B352E35FD
                                                                                                                                                                                                                                        SHA-512:C1D1A76FA934A74EB333CA69CFEBA23B4B68174EB0EB817BE81FC33831C980EF248444541AC97A13AFEC4E0714A2732D2DC399E2FE738C96905EE71A501E6D52
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....V...r............................................................`...@......@............... ..........................................8p......()......P...0...T...............................................................H............text....U.......V.................. ..`.data....X...p...Z...X..............@....reloc..P...........................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...P.a.r.a.l.l.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):228616
                                                                                                                                                                                                                                        Entropy (8bit):6.512443359566012
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:RZIyoRf1vQ4cHZEAAJLX02JiReD2bY7i+I/4n148cJE87MZzZiqGM+3aTol2iYIv:Rfo91vQbHZtuz02gb8dn5cgZ9GXVICv
                                                                                                                                                                                                                                        MD5:0FD8A529D17BDEC60A3D941E5BEAC4FC
                                                                                                                                                                                                                                        SHA1:08FEAFAE32E7CCB861F34034599B53C368E6DA5C
                                                                                                                                                                                                                                        SHA-256:7B1E83169F3865DB64C05C4CCC1C913E868E8B675B78B734923BDDE7E15ACE50
                                                                                                                                                                                                                                        SHA-512:8181FBB05721ECB49B97787A935E23F21770DCB8A7AA3C1FA554D8A096BD5F2F7A7D92BAB2443E5148173E832EDAD9B6D3006292BEFB2D3C69C7D7B5912B749E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.b..........." .........z...............................................p............`...@......@............... .......................................4.......T...)...`......h...T...............................................................H............text............................... ..`.data....n.......p..................@....reloc.......`.......J..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...Q.u.e.r.y.a.b.l.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):537896
                                                                                                                                                                                                                                        Entropy (8bit):6.825953112999709
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vLvJrD97IezrSLW5iIEobS5lEPsypTcenKskBvYvvyejaQO02KuAlz8J1J4+PDx8:TBrZ7IJ65iIET5mYIKsk8HQ8UASxW02
                                                                                                                                                                                                                                        MD5:DD7DD41A5EF369048A21784A73993E86
                                                                                                                                                                                                                                        SHA1:27A030563148509EBDC9E983E18885E621CDC26D
                                                                                                                                                                                                                                        SHA-256:F77B6D40B0B23614975F9124E337D7839194E2108D1C047D8DAE3F3F04ECD429
                                                                                                                                                                                                                                        SHA-512:C3823135C67A8492B507DCBE712D92821F5E896931C3B8C797FA9040E7D525842CABC0F196C0C5527F08D266A01EE3066B2F1E4930DC9EF833E6D85978736FFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....p............" .....`................................................... ............`...@......@............... ..................................4...$...8F......()..............T...........................................................8...H............text...._.......`.................. ..`.data.......p.......b..............@....reloc..............................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...0.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...@.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...L.i.n.q...>.....F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):173832
                                                                                                                                                                                                                                        Entropy (8bit):6.801666674835895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ft95NfdOt6imRtccnfS7h+y6fM/XkFPh/h/tmlTYrADS12UogJv8Xx:bdOtbXcn67h9oPh/hwOUD0v8h
                                                                                                                                                                                                                                        MD5:07F04C8E412E1BB8FF3D064D95C8AB4B
                                                                                                                                                                                                                                        SHA1:ABAE696A98F55D279925D82E9AB0246EDD8D6B1F
                                                                                                                                                                                                                                        SHA-256:F999676C4E7AB2CDC76C75CBED43B7D323BCDAF75669D6676DA398E013CDC013
                                                                                                                                                                                                                                        SHA-512:E519C50F8781E2C4A61C41356F79C735885493DC7B8A457BD3DAC19B51305A71A33E8D158F1887F60DF62517ADC852666CBF92FE2C2AC04B6AFFA02413A7534D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7............" .....P...,......................................................?.....`...@......@............... ..................................D...d<.......~...)..............T...........................................................H...H............text...(N.......P.................. ..`.data....'...`...(...R..............@....reloc...............z..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0...4.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...M.e.m.o.r.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...D.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...M.e.m.o.r.y...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):82184
                                                                                                                                                                                                                                        Entropy (8bit):6.572349354143923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536://dC1+VOgCV+QC9Dwp0wRlK0lB5YjbwRHUf7CN75q6+8J8iGpzWNRBtg:/FC1BgCV+z9DWK0z5YjbwGCnt+82bpyc
                                                                                                                                                                                                                                        MD5:E95B96BE68BED8BBE120B9E2AF1C655B
                                                                                                                                                                                                                                        SHA1:698CB970A23D5C3A749B9D1723EE7C7D9BC9381F
                                                                                                                                                                                                                                        SHA-256:932409C163BA3351DBBA8DB638CECBE9D0224C96142EF9B57459009866CB72F9
                                                                                                                                                                                                                                        SHA-512:290D367F1A740F61F908459955CE625022E5291B4F888D2200258559C9153E70EFAC7DE94063A82CE992E4A281BD13E16FDB42E289843B9A69FB61D9D935BE93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....m............" .........&...............................................@.......M....`...@......@............... .......................................*...........)...0......(...T...............................................................H............text............................... ..`.data....".......$..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....D...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .e.x.t.e.n.s.i.o.n. .m.e.t.h.o.d.s. .f.o.r. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.l.i.e.n.t. .a.n.d. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.o.n.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1807120
                                                                                                                                                                                                                                        Entropy (8bit):6.72377514511698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:K+gRWsMsT/8SuPB0eDHxY6AnUIV2Et7+JSy6HJXwpkUrBc:K+gRHM6uPaeDHxY66UIV2PRaJ6a
                                                                                                                                                                                                                                        MD5:DE6AAE454E722E3F6338983C3E292B9C
                                                                                                                                                                                                                                        SHA1:4300C95F41916EFA603314963CA0E70FDB8F7E47
                                                                                                                                                                                                                                        SHA-256:6537558C53FC3F52C714D0B42CE52010D91C66BA040AEE1B57B58D1361AD075E
                                                                                                                                                                                                                                        SHA-512:BEF4AE8B7D5CB732DE8DDB473E04E9B96597075EB2B20A2D812732450CFEA6313C271018CDE87F0DC47BEEAC7ED7B75D8915FDBEBA09A272D2C4C95D04F71F4D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...*B............" .....^...............................................................`...@......@............... ......................................dt.......j...)...`..(....u..T...............................................................H............text....].......^.................. ..`.data........p.......`..............@....reloc..(....`.......L..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639152
                                                                                                                                                                                                                                        Entropy (8bit):6.675826804479448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:SAaST6MSRsRshV3P1ZE7Ap0FTRNN3RdR9R5ijQz9Dl6Tm:SAgF02J8TrWkz36q
                                                                                                                                                                                                                                        MD5:42F40FB38738D1F24D4DFCAA2491A274
                                                                                                                                                                                                                                        SHA1:0009AE9396D79E06D03323D8EAD5A6240B34ECF7
                                                                                                                                                                                                                                        SHA-256:9AD8BAE6EDEFBF35B8BBCE5DFCB5B058AA3B9A23F6836CDFE60601FD693EEB43
                                                                                                                                                                                                                                        SHA-512:B0C367588287226B148F5F3E2498423AB56B06EAEC327CCE52CDDAF05B4988EA5F5DA839F7BC5B8864724A875780FB42A51347AE260305E4A2EA87245095275C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............" ................................................................1.....`...@......@............... ..................................,.......p;.......(...........3..T...........................................................0...H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........4.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552248
                                                                                                                                                                                                                                        Entropy (8bit):6.681552978241307
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:04YNveL6eFP1XxuNT5L2B2APiOLlbH5GAgZFd3qU:sa6A9XQ5FbP
                                                                                                                                                                                                                                        MD5:312C76ADC34A80AD00C01E036FE99893
                                                                                                                                                                                                                                        SHA1:A0E437A0CCAD78699EBC165E068182741C50C247
                                                                                                                                                                                                                                        SHA-256:558D751335D9ED63C6220F8B52DF1D5BE7138B844DD55A0ADBE0515EF3EEA9B1
                                                                                                                                                                                                                                        SHA-512:017BAEC878110FDDD6CD39AAD9E2DD7F7FB7ED274D85C82F81D8CDB2CE1B942A24E0DCFEAD50E2F27F6ECBCA8122CC7200201E8C105DC5E02F9BBE547FC14333
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f............" .........................................................`......l.....`...@......@............... ......................................x....@...D..8)...P..T....2..T...............................................................H............text...P........................... ..`.data...*z.......|..................@....reloc..T....P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101136
                                                                                                                                                                                                                                        Entropy (8bit):6.58531291273166
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Nc8vDWisUZDWj5CkxyB0flOpiJvXVIb1C:rvtpz4JFIs
                                                                                                                                                                                                                                        MD5:1EA4AFF32FC894ADFAB80ACBA0911FFE
                                                                                                                                                                                                                                        SHA1:F7E6D194EB406373E7C51361C732CF14130DC0A9
                                                                                                                                                                                                                                        SHA-256:6A4014CCD490E0BAD0A2521F5C0541037E945F8D06067777D90EC0AB1116579C
                                                                                                                                                                                                                                        SHA-512:B19735B5117625559BE7E9B720850B19052FE5F0910C5C311E1302C41A1D820D207B290671D23DF86F045FB693A8019EFA6752682DCA61DEC447C200C459E937
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....m)..........." .....8...(............................................................`...@......@............... ..................................8...X2..(....b...)..........X...T...........................................................8...H............text....7.......8.................. ..`.data....#...P...$...:..............@....reloc...............^..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150792
                                                                                                                                                                                                                                        Entropy (8bit):6.573942436665297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:dwGzr+JIgd5GfZOB7jG9LysLUYxPZLVXQ2Vf8ync7D+1TSapyLX:pr4Ia5GG7SLUY5fnp1+Db
                                                                                                                                                                                                                                        MD5:03F87B913BFE0EC24269251A9A6D0853
                                                                                                                                                                                                                                        SHA1:D2556A98ABC04D0DB2143B4AEB6BC80D97C51A83
                                                                                                                                                                                                                                        SHA-256:855A2B2D8AE418B3144D6A110DB09410A617D63A47B190EF51D66E018B5E68D5
                                                                                                                                                                                                                                        SHA-512:CAF1DA84B24C4EE8457248C60BCBB65247F3EBB31C789F270EB630B5D9305622724E6BC13411AA254F91471EA97DEFBE56A77E21E27B3F482923D35EBFB0F9C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%............" .........0...............................................P......7.....`...@......@............... ..................................P...p;.......$...)...@..h...0...T...........................................................P...H............text............................... ..`.data...L*.......,..................@....reloc..h....@....... ..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79136
                                                                                                                                                                                                                                        Entropy (8bit):6.588702845265931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:yS1PRHHY1TVcdoU0ZMg4m5IL2SvKBpKY37PWWDczF:yg5HHYVdd48ILepK86/B
                                                                                                                                                                                                                                        MD5:9BAAB57800A8916FC5F8A34ABD4369A5
                                                                                                                                                                                                                                        SHA1:9C9B2A43F51929E676DF7946BB67C3F6DC9AA541
                                                                                                                                                                                                                                        SHA-256:6AEB6CE1FE5C3A96845DD577F40D556CC3B88E23518396B14004EBCAA99455AB
                                                                                                                                                                                                                                        SHA-512:0FEF94A0C557740E0B538F103039A5A3E8007A6C150C88BAAA1552A5D77F1D68F61A876489F496139F001C1897DCC6A5677DA2BF55B2EF3BB42CE644497C2840
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q............" .........................................................0............`...@......@............... .......................................,..D....... )... ......@...T...............................................................H............text............................... ..`.data...............................@....reloc....... ......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214288
                                                                                                                                                                                                                                        Entropy (8bit):6.692866532143802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vtjvFk4HiSLahyjGNbykDXO3bf5G+bHX7T1sWkN6OcE/64BWm1/2us/6M6eURoi5:FbFk4C5y4zOz53h+5fwR6eSo9kD
                                                                                                                                                                                                                                        MD5:D45721810B97663F99E10123DDFFEA4C
                                                                                                                                                                                                                                        SHA1:400FA1A9C317DCDAF5A6229B713B3803BB6879A9
                                                                                                                                                                                                                                        SHA-256:1AA669D54F4BBA84C1833E4C6C7FCD6C5057412618604F48844BB79B9FE0AC72
                                                                                                                                                                                                                                        SHA-512:3932DDE0AB8EFF7A0A1DAACA9A6C0F29A17A6F55039F640AEBBEE61CBA07567FE756F5F6A6A787ADFBCBB268A73861F5FE51C177380C3B783D380883DD2F16E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....>............" .........:...............................................@............`...@......@............... .................................. ...\V..<........)...0.. ....!..T........................................................... ...H............text............................... ..`.data....3.......4..................@....reloc.. ....0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293640
                                                                                                                                                                                                                                        Entropy (8bit):6.636078633076518
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:mvExTiARl6gq1zPt3CxPpuLdDmRw6WSL/l6eohgni:lR/j6XzBCxPpuLRm1l6Xmni
                                                                                                                                                                                                                                        MD5:FD789783FCE2564634EA2D47D4CF14CB
                                                                                                                                                                                                                                        SHA1:4C4C721EEB969A869625F64150759EA236DA1E7D
                                                                                                                                                                                                                                        SHA-256:7E5A21124CD63F428A24B78290569628F16C7C0D58BD4323CE358B235031AC98
                                                                                                                                                                                                                                        SHA-512:B0C4F2072E239312ACBFA868E5A69957CBAF058A189DB1DC4B2DD2265396C69C6A5813B8A8FF1D18F7950A93D3AAD08B51AE58805E1E14891EE8BA873D528886
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........n.......................................................*....`...@......@............... ......................................xw..|....R...)...p......H&..T...............................................................H............text............................... ..`.data...Re.......f..................@....reloc.......p.......J..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349456
                                                                                                                                                                                                                                        Entropy (8bit):6.619249857259698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ymhqNLrajj/iS/9z3E8djsPOkdMA4f5G/eopZFBq1Y:y8YPafiUWXAr1Y
                                                                                                                                                                                                                                        MD5:646F04A2738C65F25D1934E497ACFBA7
                                                                                                                                                                                                                                        SHA1:19850A695DC06568C4B4766A2BDF4D0383A6A273
                                                                                                                                                                                                                                        SHA-256:68BD9418A0B1ECBFD4202F145D00C0D23BB40F1936964A2B7EEB979053B234FA
                                                                                                                                                                                                                                        SHA-512:88664A6FE955AC149EF6C4E5DAE49D414BE01B7FDCC7BD3BF578B84BC84D63BCC6EB12BC53495C255E19A3977877C04DACFB2D5D078AAA4B2B0E9F0474383CC1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........p...............................................P......,.....`...@......@............... ..........................................*...,...)...@.......+..T...............................................................H............text.../........................... ..`.data....g.......h..................@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):685320
                                                                                                                                                                                                                                        Entropy (8bit):6.8245378715729474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:XiPF+HUmX2XIw9BaNGRjpgPzLoLLwCvUX3L/Z9q92OD:XiS7X2N9Bki8k
                                                                                                                                                                                                                                        MD5:CA07464D94CC02F114CDA16BD19CCF01
                                                                                                                                                                                                                                        SHA1:552B26F881040EF5622E4B8B728D9F964CAC7B99
                                                                                                                                                                                                                                        SHA-256:EC1941E90A90CDE9F11CFCEF96B7618790EC321E760E4F3AFD53096DE7179484
                                                                                                                                                                                                                                        SHA-512:7BD77B75539065AA42F04A62928E22D3BF823026597398D8923BB9C12E034EF183E629D39A5C7324D17BF50B3064F5D009DDC2916B2C7EB9EAF3FEDD180DF5C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;)............" .........................................................p............`...@......@............... ...........................................<...L...)...`..<...(-..T...............................................................H............text.............................. ..`.data...............................@....reloc..<....`.......@..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.ServicePoint.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37136
                                                                                                                                                                                                                                        Entropy (8bit):6.50638514033971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NW+nFWGN7798x33dWc8fIY6WxR6OU1RpnJ87bxHKnfrjRYFSlxgdg3a2myQJNx9x:jTJyMBing5AD9wggDsKmqrFClA9zJ
                                                                                                                                                                                                                                        MD5:33F1488B82619B32EF30D8FA10932A83
                                                                                                                                                                                                                                        SHA1:073459116F208778B98A4B996984D6ABF742D820
                                                                                                                                                                                                                                        SHA-256:F91AFB1582BDD85D9B6CC6D4E5774169825E73E4BCD3A36C4408D37637731CC6
                                                                                                                                                                                                                                        SHA-512:96DF7CBEB36BF3CBB460DD6F531CD30971DE904A55354F9B9ED3FD67A3B0DD7800EDD2400EBEB9A329AF707B0232BA280FBC6B9C5690AF5F391CA2CC26131672
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$............." .....\..........................................................-i....`...@......@............... ..........................................`....h...)..........H...T...............................................................H............text...KZ.......\.................. ..`.data........p.......^..............@....reloc...............f..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...S.e.r.v.i.c.e.P.o.i.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):506632
                                                                                                                                                                                                                                        Entropy (8bit):6.739877963601641
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iY72vFk13eFkZMdvJEKzDiL1vu21pcIzL9wKopz+t+dR5jJ3B+P:iY72G13ZMliwiwOoZ+t+dRz34P
                                                                                                                                                                                                                                        MD5:B1C89B1E9A5D537A32BFC42710B590C6
                                                                                                                                                                                                                                        SHA1:0D0AEC1748EC4B8B50C23E82F6453908AE4F4F66
                                                                                                                                                                                                                                        SHA-256:E15AFD60ED6A5801F153648A77F36D15B7F9EDD1934CD342AAA3312D23E57FC1
                                                                                                                                                                                                                                        SHA-512:35E24F64F3D0A8FD171736C2503DC45931A9169C30BDFA450A741B0DD3E8E264B82508937CB52AFF31FFCCFE86DA4BB8FBFE38148748B3ED76F39B611D777F37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...b2............" .........~............................................................`...@......@............... ...........................................6.......)..........p4..T...............................................................H............text............................... ..`.data....s...0...t..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):166696
                                                                                                                                                                                                                                        Entropy (8bit):6.64714001372041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:5xwi2eI9dTW/NFVMqRcz7qu0OxDVY3qwJhlij3PMluseo1rzSH:rwi2eORW/3/RczOu0ghsegzS
                                                                                                                                                                                                                                        MD5:E66E573B815651533098204FE8F6A4B3
                                                                                                                                                                                                                                        SHA1:8A781D7E5C60F432BFB81FE4CBDCF1387E1B5711
                                                                                                                                                                                                                                        SHA-256:2AF045741EF32D6C92E345D75281B39EA818958C01ECB47834E43540901EBC83
                                                                                                                                                                                                                                        SHA-512:32247AAF0B7E71B365DD752A51C296C2EC3CB880A02106E4774616638E5ADEF16EEF163CB797076E9F891F612C4E38FD8039A3194C4533A07374DCF6B1477054
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...p............." ....."...>......................................................P.....`...@......@............... .......................................L..p....b..()......x...H...T...............................................................H............text.... .......".................. ..`.data....6...@...8...$..............@....reloc..x............\..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60696
                                                                                                                                                                                                                                        Entropy (8bit):6.535904077319764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HBfRKv+6SDbVXWTlEG3VulTTTTTTTTTTTTTTTTTTTTTTTTT0NW8zOCb:HrKKpXqln3VRNrJb
                                                                                                                                                                                                                                        MD5:1A2192CD55AC26651019BD5716EDF274
                                                                                                                                                                                                                                        SHA1:9DDFCAAB954D4E86CFC9DA88E666AB57A19A0561
                                                                                                                                                                                                                                        SHA-256:2888BFDD67C2A71968E5945814471BFFC0A3BDE85980DF855CE3D60FE93C76E2
                                                                                                                                                                                                                                        SHA-512:2E4ABC3F4FF57418B2C0DDDEFDFCFBC48AE6B4ED5AD6C28C4917C04DC447A52B3356FE5F478283930FCE7079D08742946844F7537EC5D9E90C7163CA99174922
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......................................................................`...@......@............... ......................................x"...........)..............T...............................................................H............text.............................. ..`.data...9...........................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.H.e.a.d.e.r.C.o.l.l.e.c.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32056
                                                                                                                                                                                                                                        Entropy (8bit):6.557487177148606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:y3WpQwWm/k/viYHcZg2VUi6VGt1QWKlL/95/1oqOMlGFESX6HRN7PSpGR9z35v:yNyk/vL72Vd1HgTls3WPSY9zJv
                                                                                                                                                                                                                                        MD5:6EB91FC196B1CC9F19B2CD8FC3E8434A
                                                                                                                                                                                                                                        SHA1:AF03A2772C81E7CA43DE3297979F110BAAA6CFDF
                                                                                                                                                                                                                                        SHA-256:8F91556DE372D206D3622027C4512398B58EC8859C376A7D144926E0E85E51DA
                                                                                                                                                                                                                                        SHA-512:2AA33D88632309BC64932A1E330072CDCD0D8C9952B7B9CB25F367EDF7AA11BD005C2299AF0E1D4E3005D75CDD2620688322F14ADD8B03A1B3A01FC454E8ED71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....H................................................................`...@......@............... ..................................t............T..8)...p..........T...........................................................x...H............text..._F.......H.................. ..`.data...i....`.......J..............@....reloc.......p.......R..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...@.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...P.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...N.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):76568
                                                                                                                                                                                                                                        Entropy (8bit):6.4853478188512375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:67OYMIHH9XOUiSd13OETTzlw49YLOXC3zlc5rbIRWpqIWHVz9:8ln5zX33DTTzlp9YLNDlc5rMZIq5
                                                                                                                                                                                                                                        MD5:4F6B324C53BBB877F0F42A6EAB84179B
                                                                                                                                                                                                                                        SHA1:3E57D33C2292533D31CE0D5254C2225ADFB1F1ED
                                                                                                                                                                                                                                        SHA-256:83968FC6BDF453ED228B7DA140C248ADE2F7A6084978DB67205A97636664F11D
                                                                                                                                                                                                                                        SHA-512:284DE4790BADFB59A9CD378A4789219CBC4CBEAB299F8F126B167EDB77F9204CBFEC9EC4309743E414D6931B7FFC73D530C2253C609A68679115EEA3C9894BBC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............." .........................................................0.......U....`...@......@............... ......................................8(...........)... ..........T...............................................................H............text...1........................... ..`.data...............................@....reloc....... ......................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...R.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.S.o.c.k.e.t.s...C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...b.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182064
                                                                                                                                                                                                                                        Entropy (8bit):6.640593125749875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:crJ1yGe/CWqtx3IRJK9Gkszawp+z1Mq87repROMKKnXWRDYZbQLmvh6st/9o1BV/:+yGtt+Rh887rijXXWrmvh3tu1O/ZRhmV
                                                                                                                                                                                                                                        MD5:C7159CD5889AACF32C60F1209B45B306
                                                                                                                                                                                                                                        SHA1:B21C82BC847D02C854BBF06B5F7DC6570EE95323
                                                                                                                                                                                                                                        SHA-256:30698ED152943072144CFFA5530C4D1F7A39C2AC0B9D4D982CA39CD9011FDF70
                                                                                                                                                                                                                                        SHA-512:3261D5EBB7D2240E9D901A4FF42E89F05A336BB4DF9AFC5063B79DEDEC705C7357DDADDB41B1C61FE9D91784C03163E10025CB63AF3EE0A38776A50AE9688F7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....p..........." .....d...8......................................................c/....`...@......@............... .................................. ....O..`.......0)..........H...T........................................................... ...H............text....b.......d.................. ..`.data....3.......4...f..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.581798101266097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pV6EWw138N8G2WowVaWTYA6VFHRN7u+TcTR9z6ZGa:pV6Er138x/FClBwV9z/a
                                                                                                                                                                                                                                        MD5:9E6ACD5E0685D1C4B169FFCC4A990B48
                                                                                                                                                                                                                                        SHA1:67DC8BF8B6A120C3CE8FE8BDFF88BD84CB11FE77
                                                                                                                                                                                                                                        SHA-256:A6BF9DB02AA10F6ED725DD5D7E72AEF926361DF982F135CF8D9EAAE4FAFE47AC
                                                                                                                                                                                                                                        SHA-512:62E8CB2DDB1CE54D327F9324BA49ECAFA650A98F83C494F2083A45850334976E7A3B375CAE46B3DE65A384D22E378A862C66506CE5947A4B3C9F9D91B0009D01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$............" ..0..............2... ...@....... ...............................A....`.................................92..O....@..8................)...`......l1..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................m2......H.......P .......................0......................................BSJB............v4.0.30319......l...X...#~..........#Strings....D.......#US.H.......#GUID...X...D...#Blob............T.........3....................................6.................l...|.l.....Y...............M.......m.....m...c.m.....m.....m.....m...'.m.....m.....m...^.............n...5.l.................S.....S.....S...).S...1.S...9.S...A.S...I.S...Q.S...Y.S...a.S...i.S...q.S...y.S.....S. ...S.....S...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.708846111618444
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1Brpigxx9pWabBWipWjA6Kr4PFHnhWgN7acWDDcADB6ZX01k9z3AtOnV:157jpWabBWiYA6VFHRN7+DcTR9z6iV
                                                                                                                                                                                                                                        MD5:30549E2D5F2895F31260F03550D1AB89
                                                                                                                                                                                                                                        SHA1:2A9A436A1423569F906CAE05BD068849CFFE2D5F
                                                                                                                                                                                                                                        SHA-256:D21E226271AB8F12D1020BD9C644E5E77E6189C4F11931457A1638FAE8E85F21
                                                                                                                                                                                                                                        SHA-512:1962C98B89742FE19B23E928AC5659FF590CF561EB59B47986868794811B58865A76DB54AA6B9F8C2B24B40122D36158DD064BB4C848C3DC29C56634201AF035
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'..........."!..0.............N*... ........@.. ..............................g.....`..................................)..W....@...................)...`......D)..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..t...................P .......................................T..c@..Go.3..j...Ey..R.C7..Y..Q...~+.\.AN.P...].j.+@.k.m.q[...k..;l...R.....]xh.}E..A.....,}....HnW.o...$g^..M...........%;BSJB............v4.0.30319......`...<...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v...................`...8.....0.......r...\.r.....r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.700345163959257
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cYawsYuvWevNWJpWjA6Kr4PFHnhWgN7agW3IgRxwVIX01k9z3AAljul+Yth:YHvvWevNWJYA6VFHRN76PR9z5lju5th
                                                                                                                                                                                                                                        MD5:251B3ADECBFC6975739805BAE9F63A05
                                                                                                                                                                                                                                        SHA1:5B04529783740F8BF1201ECA0DDE06D12C1C9A29
                                                                                                                                                                                                                                        SHA-256:1D46A019294A694C09B124AAD3FB55240A28035410FFF99AE028B08A8B0D42E0
                                                                                                                                                                                                                                        SHA-512:8FF80308BE71189708F8139565818D4510FB8917E8657842635F02BFAAB9F944D80A1683E86E0885FE876BF1309AB12CF4B1497FB7DEC5E169C142595AC97894
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@..........." ..0..............*... ...@....... ...................................`..................................*..O....@..X................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................<)......................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.,.......#GUID...<.......#Blob............T.........3..........................................0.........]...............................D...?.e...K.e.....e.....e...".e.....e.....e...}.e.....e...V...........e.............-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91312
                                                                                                                                                                                                                                        Entropy (8bit):6.552363583416721
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:7YFJyHM3VtaIGdrG6mksFajOoPnCXrrgpenOpEINYcIwUAZ+K+t34h6FqgHzqWUE:7Yms3VsI+Dmkz8gMnOQcdDzsqSqWfz/
                                                                                                                                                                                                                                        MD5:298C81F3EBB890CC364CCFDCF34058C5
                                                                                                                                                                                                                                        SHA1:6934C79624BB3DA9D22954EE339049D43D9BB83A
                                                                                                                                                                                                                                        SHA-256:A3D82D91C5C016586867F63F6CB75DD2062BC65068F3F1BFFE87DB6EF3C5F743
                                                                                                                                                                                                                                        SHA-512:F6DF7D3274A50BAAAD7A3B748615BC111040A080AB966956143A2E1A6CFA69A6CB64D6DB192CB1FCFF147BBF5E2C8BB6AC94B2101E6B8136136D5B1D7002BBBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=..........." ..... ...................................................`......E&....`...@......@............... ..................................t....).......<...(...P..........T...........................................................x...H............text............ .................. ..`.data...H....0......."..............@....reloc.......P.......:..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...O.b.j.e.c.t.M.o.d.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...O.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.CoreLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10637488
                                                                                                                                                                                                                                        Entropy (8bit):6.834759168341911
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:QKlZeeIfZQsU+fRIwvUVvJS63bX4PrLAU4n/0v4/PyGvjr:3CfSsU+fRI/VvJSyX8OyGv3
                                                                                                                                                                                                                                        MD5:E483FEE9AC7ACE5AD3DBE0922BA0429B
                                                                                                                                                                                                                                        SHA1:EC481C588B3BD84305703C854EAEC4FD5998639E
                                                                                                                                                                                                                                        SHA-256:9133F14A629B51EB91BCB80BE17D6228BDB31CF64F1FF7D62CCB4C70E3D30CA7
                                                                                                                                                                                                                                        SHA-512:318CEC35F2DC2D44AF2CC00AD1300EC71CEB89AC9E199B059E1B3428405583662B2013632A89C961085A5596F1C301AAFF498CA8D8222BCD65E462C21E3284DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........F...............................................P............`...@......@............... ......................................d........(...(.....|r......T...............................................................H............text.............................. ..`.data.............................@....reloc..|r......t..................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...C.o.r.e.L.i.b.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2077448
                                                                                                                                                                                                                                        Entropy (8bit):6.722460846508454
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:7r/zyRgRZfG3NMhSsdt1VTxpCBqlY5anISqsVZp3tODPPLD2DL0qF2:3/xZOqF2
                                                                                                                                                                                                                                        MD5:19BF6B8608C66AC95564DF67948A1F01
                                                                                                                                                                                                                                        SHA1:2E51080CCD8D044CB7F88E5186CD6A27234E7349
                                                                                                                                                                                                                                        SHA-256:3160457511B908D08EE652586B6288827D894765319E4D874271C6E35C569CCC
                                                                                                                                                                                                                                        SHA-512:F27689677446EEF7D559F94EF7E48C6C3E0629119516D91E9C2F11F80E7481D5AD749A59F75DDE09C03342B1E5FB2CAC3C933A32A05F678FA7977A0F65AE26BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....t@..........." .................................................................. ...`...@......@............... ..................................L....`..8........)......,!......p...........................................................P...H............text...Q........................... ..`.data...s|.......~..................@....reloc..,!......."...h..............@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........T.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...0.....0.0.0.0.0.4.b.0...j.)...C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...D.a.t.a.C.o.n.t.r.a.c.t.S.e.r.i.a.l.i.z.a.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...z.)...F.i.l.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Uri.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):252712
                                                                                                                                                                                                                                        Entropy (8bit):6.803118641554585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4Y9Nlu+ra9AkzUhysCmV9tC0XAoe0tAqBmlvaP8lgYD3cRW8qZ+aodJsu/Q0DAsg:Di8ZkzvslViFoeEivw8lgw3cKZejsMvg
                                                                                                                                                                                                                                        MD5:EC9FF4357A78C2DCBC6092ADA5A2AE6F
                                                                                                                                                                                                                                        SHA1:5A8EC381B24FB168B9586CEDDE3680506D71AF47
                                                                                                                                                                                                                                        SHA-256:3C038D1F2461A38D1E3E5FA06A524F493554DF07A5B0661968E32B3CCE5212B9
                                                                                                                                                                                                                                        SHA-512:1441EA2BDB046FEC70C628BA3A6920438695190C265F020A54B5614F62452818CF47B6D808DB37D4EDD0532BB349EA09F86AF695D5FAF6F35D4CC09D233F1328
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........&......................................................vx....`...@......@............... ..................................<....V..........().......... ...T...........................................................@...H............text...S........................... ..`.data.... ......."..................@....reloc..............................@..B............................................0.......................,.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........D.....S.t.r.i.n.g.F.i.l.e.I.n.f.o... .....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):405264
                                                                                                                                                                                                                                        Entropy (8bit):6.714042900365998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:KR+I69Gw4hphuS5BpIVGcHH8lKPmS6up6+:2+WNhpBynH8G16j+
                                                                                                                                                                                                                                        MD5:9D4484E7B3FEC9597EF9ED633AA3168F
                                                                                                                                                                                                                                        SHA1:21DD509808A6A0EECF13298E3FA541A391E452C2
                                                                                                                                                                                                                                        SHA-256:29DB6AF0D7E4400CD041FAC47546B20BDA2CE5EB730264C99FBC0986751085D8
                                                                                                                                                                                                                                        SHA-512:4CC385ED15E2038FCDCA55A57E83CEB787B80E1CEF18EDB2BB36E912563BDEBE7DF74B1AAEA6347B0823299FF967F3483D761387B330543AE0C2752A8B6051B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........j...............................................0............`...@......@............... ......................................,....0.......)... .......+..T...............................................................H............text...*........................... ..`.data...O`.......b..................@....reloc....... ......................@..B............................................0...........................d.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...X.m.l...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8505608
                                                                                                                                                                                                                                        Entropy (8bit):6.821437608207014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:Smwr9q/Lo4Ou8M1xwOSZ+0TaFqZlH1naEeVQjhV:h/XOu8MzwOSZRYQ5deWjX
                                                                                                                                                                                                                                        MD5:3A78E5F2522B643BE517D485D2FA9EC5
                                                                                                                                                                                                                                        SHA1:4542B8B41B97CDF08672114D38DA87FAE88775AC
                                                                                                                                                                                                                                        SHA-256:335867B5D2E3FF3FF3B0CFAC4D8B654300AF9E3BEC3E0A6A38441415335381EB
                                                                                                                                                                                                                                        SHA-512:84F92F4661D66AB1EE5EDA970204A5487E941CA0A83C105B701B818B653950E11E9753DFB3F840C055DED799D23F8928CC9501BB6DBD198B9216B1BA438B0C24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......|..............................................................`...@......@............... ..................................<...D...8R.......)...`..X_......T...........................................................@...H............text.....|.......|................. ..`.data...8"...0|..$....|.............@....reloc..X_...`...`...@..............@..B............................................0.......................,.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........D.....S.t.r.i.n.g.F.i.l.e.I.n.f.o... .....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66312
                                                                                                                                                                                                                                        Entropy (8bit):6.579630181472548
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:SsGqs6PbkymbnA0be+s8cu5BiEUxbluKm0i9pzWYf:SsxsUoymbAiy8BiEY9m0QpyYf
                                                                                                                                                                                                                                        MD5:7051A2BBADB9065085E4354A1F300936
                                                                                                                                                                                                                                        SHA1:EE7E3E2029DDD2E5044A9E74FD4659CA2D792AAC
                                                                                                                                                                                                                                        SHA-256:AC28D3517C24ECC00AF041D5B3C3D878AA816082F658AD826D6F6CD0C4D5E170
                                                                                                                                                                                                                                        SHA-512:1EEE4C0C03E5086A425D047E8EBEFC28EF4DF603BBCEE22A03C363383299ED6C001BF5E45FE8146058285E08E22B21926DB7CE78A7D735DF8EDDA89B9F9668EB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<.7..........." ......................................................................`...@......@............... .......................................%...........)......0.......T...............................................................H............text............................... ..`.data...............................@....reloc..0...........................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...D.i.s.p.a.t.c.h.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.731452166320643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KdmAPIh5WVsUWjYA6VFHRN7c7VXC4deR9zVjx0B:nAPCTdFClc7VXC4dC9zVj6
                                                                                                                                                                                                                                        MD5:23DCCA25D64F033EC933CBF083D19EA7
                                                                                                                                                                                                                                        SHA1:3FC9E0DD194587839DDD66ED84DC0F6424031794
                                                                                                                                                                                                                                        SHA-256:BD9BE884AF004544C47727D6C84256395F3968A97C9AF47484BAD919F103A9D4
                                                                                                                                                                                                                                        SHA-512:2C19609752E2E40F3FF48CF30E51B4ED58836FA4DADE6A250EA2F34579CBB9BE4F9B07A68C2D3CDB61537FC8C408946D3DB336E9D4BD7E4C404F75C1E5036596
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............."!..0.............n*... ........@.. ....................................`..................................*..S....@...................)...`......P)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ........................................I(..PNp.....e{..$....v+..P;...:.!P#..4.e.y.P.8.d.t^.|.......}.m.....&.|.z.d.....!y.8.`L.M3..8F.C..c..*...|.K].....6.a.."BSJB............v4.0.30319......`.......#~..t...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.......7.................b...!.b.....b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16184
                                                                                                                                                                                                                                        Entropy (8bit):6.717541563928021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ydbjS8WxRVJW0+X6HRN7hUzDtdQ5R9zP2il:w0yWGFds9znl
                                                                                                                                                                                                                                        MD5:D67025C176E928D4A4D300DC552A8D6C
                                                                                                                                                                                                                                        SHA1:A363A379995B46190824D278836CF752CDCD1A10
                                                                                                                                                                                                                                        SHA-256:39217B38B36627DE4C09A116F3A26E3565C3150255ABDF492B7296B2822B6181
                                                                                                                                                                                                                                        SHA-512:396A77F1F5ACE23A81B59A292576FE7A6EA5C2842E768DE91D956595851323A75BBB0AA826395C0331528CE5374238A6D3BEF644264E33B71E33E42ECD821FA3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K\............"!..0..............)... ........@.. ...............................2....`..................................)..K....@..................8)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................ ..d..]...Y.D.\~...s_..j.Z...J@.Z.....<add....G....Y.b.x...}.\Y.w@..cF.U.S......>32..@S.\.....C.nO..=..n.3...8....6.O...XBSJB............v4.0.30319......`.......#~..H.......#Strings....P.......#GUID...`.......#Blob......................3................................................2...........K.m.........v.......@.................G...1.G.....G...k.G.....G.....G.....G...R.G..._.G.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.734500709043853
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ilxvu8CLLW6MbRWcYA6VFHRN7XYdFDR9z7W3F:+u6tFClXYPl9zy
                                                                                                                                                                                                                                        MD5:4FE8A8072F206B46ADDBAD0C61168D59
                                                                                                                                                                                                                                        SHA1:2270D75DFCC5B1A5F4751A5CD027D10FFB62B5B2
                                                                                                                                                                                                                                        SHA-256:C2949807B3BB6EC74EA786708335CAF5484082CE4901AA0D5D1B59608699A79A
                                                                                                                                                                                                                                        SHA-512:685424B68AC153B3E55333F48ACD2B182DFC477CB6F590DAF410EA59532A61BF429948BA9B4E74EE72B43E4E5F2B33E015A18D023249E416CA02667F9373EC0F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b............"!..0..............*... ........@.. ..............................o&....`.................................d*..W....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................|....chR.(.._.@...|.3.5.8,.b5.......?O..cT.....>...S....z....K.O.N.2.....j..5..y.........[,5...?..(b..A.\...HL,.....J*. iLBSJB............v4.0.30319......`...X...#~......p...#Strings....(.......#GUID...8.......#Blob......................3................................................"...........;.....2.....f.......$.................+...!.+.....+...[.+.....+.....+.....+...B.+...O.+...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.8012541413925405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3t8YJXWKyWWOYA6VFHRN78RxB+R9zP5xE:3tdS2FCl8Rxw9zPE
                                                                                                                                                                                                                                        MD5:359100F45ACC2BA5FC6F2568B06ED5CD
                                                                                                                                                                                                                                        SHA1:466C5050B1844078C01A498C11413CCF626A7FA4
                                                                                                                                                                                                                                        SHA-256:6A993469374344523406736668802D19C0EB9A86A688348866A753B3340EAF33
                                                                                                                                                                                                                                        SHA-512:CC272C6E2DB59C6E890308A6C9D479B4C6F233FE450288AE02B37A4ABC8EE4E13ED8B32579F92EDD6D4A59CF724F8A5AEA67AFFD909ED0E695D1ECF57A9CA280
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z............"!..0.............n)... ........@.. ...............................y....`..................................)..O....@...................)...`......`(..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P ......................................2.. u.Y.....b.I.oi...Z......^...NC.w.........B......Xuu.|].^.K.l...N7..D.j...N.Z[.R....C..f.17X.fWCW.i....d......*9.Uw.D.BSJB............v4.0.30319......`.......#~..0.......#Strings............#GUID...........#Blob......................3..................................................,.....,...3.....L.....^.....a.................w.................w.................G.....I.,.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1130656
                                                                                                                                                                                                                                        Entropy (8bit):6.715905432836471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Gzj22UrYDBFZmNt+Ll3tMgRrSkM7yTWHt8kJjaJlB9vNR0wyQPoVODzty2el+dj:CVuv+53rRukMZpO/kwhPDzw2el+dj
                                                                                                                                                                                                                                        MD5:B6D60C794F11C5487975EACB167EC9A8
                                                                                                                                                                                                                                        SHA1:0954C3A5693DA7B3F6D3730BC102451DA9E1B89A
                                                                                                                                                                                                                                        SHA-256:FD385C3D3C1B096801497CE0200CF96CBF6C7AA5BA28CD8E51A596FDFF79EF2A
                                                                                                                                                                                                                                        SHA-512:29E4E3A6D03D604DE8092A9D5E8A803C2DFF3A033F1FC613CC1F5411B6E8340AA38A7A375C4FD360B43A6A94A538FF768504A9A4C89CC39FE0057645FDC93541
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.)..........." .....4...................................................@......ht....`...@......@............... ..................................h...............(... ..h...xW..T...........................................................h...H............text...>2.......4.................. ..`.data........P.......6..............@....reloc..h.... ......................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e.s. .p.r.o.v.i.d.e.s. .a. .l.o.w.-.l.e.v.e.l. ...N.E.T. .(.E.C.M.A.-.3.3.5.). .m.e.t.a.d.a.t.a. .r.e.a.d.e.r. .a.n.d. .w.r.i.t.e.r... .I.t.'.s. .g.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.766244200871325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:CCrP0C5xxkWWSq+WB3pWjA6Kr4PFHnhWgN7agWEuWGshHssDX01k9z3AGW87d:r0oWWWSq+WVYA6VFHRN7g+FDR9z7W85
                                                                                                                                                                                                                                        MD5:72C0E8F0C891D0D32883B91C69FAE958
                                                                                                                                                                                                                                        SHA1:DD1231450BB7B72B8E53110C5675BAA86EC6846F
                                                                                                                                                                                                                                        SHA-256:8F9C83135A78C8740068B07FDAFD647BE42484E8BE182A7AAE3D0A345528BA45
                                                                                                                                                                                                                                        SHA-512:589497251EBB975AB5C84DD7B8EC3E40E0DB70CF9F48E88D450D36025B2EEC3D3CEEC28E227A6013ABCB98073A0F886443410A267B871B8FB51FC08F323803D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0.............^+... ........@.. ...............................p....`..................................+..K....@...................)...`......T*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ......................P ......................................k{.*....U4>\..T.A.....[.c..MA........a..6..P.&T.>.<U..S%...|.t.m:_...nQu.O...Q.a<9^qU....w{n.c...W..O*p......]...}}.ET.G...BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y...................`.................g...?.g.....g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33592
                                                                                                                                                                                                                                        Entropy (8bit):6.486828889454643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kCWmaeWGlEYc9RSfX0lawccfNXuWrdzy+A2mcpPL91ePX6HRN7Ou0R9zUHm:k3GlDcWEAwcc1+Wc+bmUPLfoWOu49zb
                                                                                                                                                                                                                                        MD5:9D26813D0E4E76BF161DF6467D46593D
                                                                                                                                                                                                                                        SHA1:04100251143A0146FC28F54003E05F34B29C07D2
                                                                                                                                                                                                                                        SHA-256:3B581E1C257AF2B87AC6279BEAE8734E4A79CD3F86335168763BCEA8D495330E
                                                                                                                                                                                                                                        SHA-512:6BA1BE1142254F0F2755596ACF28825C0F43596D6D7D0CF942D40067BCE2B24C38BBED6C82E34301EBD6C21D807745723C8932C181139F9FA7A7BE0B3957397C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-............." .....P................................................................`...@......@............... ......................................D........Z..8)...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.723329527099039
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mEKi0jWhGCWefYA6VFHRN7P178FDR9z7Wxs:7KtCfFCld0l9z6s
                                                                                                                                                                                                                                        MD5:4564A146B250C1C73E59A6FED69FCA60
                                                                                                                                                                                                                                        SHA1:A9645B6D15EF8799AB5C0FA1D09FD5D01DFC3291
                                                                                                                                                                                                                                        SHA-256:F2DF432950E7751EA35A19C078376A7FEA079E739AD89C1A63CC45B41A07D18F
                                                                                                                                                                                                                                        SHA-512:D3A6B078FDEEB3492B20B442504CD743F84D08DD987E916F768B1222DFF81C73B4B7F72C1F8623695164A9715FC3C1E18ADF1EC2C5C877F54ACBF060ED4E2270
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ....................................`.................................8-..S....@..h................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................p-......H........ ......................P ..........................................MA.}.]....v"E.~..O`.....H....h...?.6..>..Q]]..D^b..$.T.sR.9.,.X#MlK.O..dU..J.ukG.\...GyQ...c...>.=B3 ...4.....X....`BSJB............v4.0.30319......`.......#~..........#Strings............#GUID... .......#Blob......................3................................#.....a.........z.<.....<.........\.......3.....w...U.....M.....7.....y.................................................<...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.782820861043016
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WeP4MKrW4N3WmYA6VFHRN7RKVXC4deR9zVjx93:WM4MetFClRKVXC4dC9zVjn3
                                                                                                                                                                                                                                        MD5:1F4727345E2C6782DFBAADC9E9817693
                                                                                                                                                                                                                                        SHA1:F467E2BC1F7D1DE3FAEDC953DC8EC8707B3E9268
                                                                                                                                                                                                                                        SHA-256:4818E3F1CAD2A5B47078C068AB08DC0DFF4110FDC8B525A99523C3D0789BC75A
                                                                                                                                                                                                                                        SHA-512:B925E8166F9E8AB1FA3719FD95E792AD725C427818144E3012C27BD251B4BD109A7447F862D886017CE323FCB815EA7E02B73A4865FCDEC00D457EA51CC5CD17
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................,R....`..................................(..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ..@...................P ......................................|.....[s..Bn....g..X.}..z..4{.vf...........l.p......0..!..7.Q....W.u.Cg^.....b.7=.y.7.....n.."4.......NHeS..?s.P.........SBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3..................................................=.....=...3.*...n.....^.....a.................w.................w.................G.....I.=.................$.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16176
                                                                                                                                                                                                                                        Entropy (8bit):6.777064915062182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:LJMER3xxBRvWVxzWteWxNzx95jmHnhWgN7aIW5z45WXYz1X01k9z3AyoFewPe7:OmhLRvWVxzWtlX6HRN7moJR9z/Ke7
                                                                                                                                                                                                                                        MD5:8245CEBD42F6DDE00034133DD1E618B6
                                                                                                                                                                                                                                        SHA1:80A448FFBF1B6DD0FD033AA925D8793B440C486F
                                                                                                                                                                                                                                        SHA-256:ED43F130E2E71AE9C4160D887BDD004105E34B0D353DAFF1F12F7DE7CEFF6737
                                                                                                                                                                                                                                        SHA-512:B8202FDF61803A2C6A071D68F6AD9E0F153E54745044EC298505EED852DF25140992C4FF753C1E8E8FF42AB0FDDFC8D846E1EA1438295C4FD5C83A563663CB5C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0.............^+... ........@.. ..............................b.....`..................................+..O....@..................0)...`......H*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..x...................P .......................................B0.;...V#...4C.....t...C...5.I8./.....B..}.O...'.=?ky2...)L0..`.A=....U_.w.'Y......h.I..2Y........GK... |?l.=.p...Y..M.BSJB............v4.0.30319......`...h...#~..........#Strings............#GUID...........#Blob......................3......................................M.........f...........].l.................r...A.....9.....#.....!.........................................q...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45320
                                                                                                                                                                                                                                        Entropy (8bit):6.5512339771396775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:6l7vatyqsSfySDzEjI7uG8lZ6KFClfFT9zSG:6JQHjnz+YuGUZifTzSG
                                                                                                                                                                                                                                        MD5:C2406CEA76D202D405D811A647685BCE
                                                                                                                                                                                                                                        SHA1:3CDA5B4AFE38FFD978DCDFE9F06E71BB4A27E458
                                                                                                                                                                                                                                        SHA-256:9146D7B97ED2B0D1BFDA6F75E508A1E4D171ACFFA75D9F061294AA0E64D8D93D
                                                                                                                                                                                                                                        SHA-512:BC74AA88385C1E679FE3D93240B271774D1623060D1A42B66D5CA2D0617268FA0B40278A13D45E3978461CB5A5ED2E6B358643CAE8636D2D05FD5F971C39C66F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....v..........................................................H.....`...@......@............... ..........................................@........)..............T...............................................................H............text....u.......v.................. ..`.data................x..............@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.s.o.u.r.c.e.s...W.r.i.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22800
                                                                                                                                                                                                                                        Entropy (8bit):6.425734217683911
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DWgi2WkbXPPGmmOWWWfnpon0YA6VFHRN77Zm9R9zrJRU2:6sHGmmHPFCl7M9zs2
                                                                                                                                                                                                                                        MD5:5EF80C5A289DB81C062B66908A2C6B9F
                                                                                                                                                                                                                                        SHA1:CF799B59D6CD69890592F42238F14337EFBE3B48
                                                                                                                                                                                                                                        SHA-256:C47A7B97F2026DACFC4B5C866429513E10D2C3C39201420E1C3A5624927E706C
                                                                                                                                                                                                                                        SHA-512:CFA3711F94F5291CE9F30EDB8DBA0BFD7C9D219327180F11D597113B997A0DF5EB76E2E2BF7F82F99B5C96B7D027D5E5C50365646DF01FD5C47B1FDF5B7B35E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.../..f.........." .....*...................................................`............`...@......@............... ......................................$........0...)...P..........8...............................................................H............text...o).......*.................. ..`.data...=....@.......,..............@....reloc.......P......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...f.'...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...U.n.s.a.f.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...v.'...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20232
                                                                                                                                                                                                                                        Entropy (8bit):6.598667978987244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MWspLW2LIrR/TvnaNEcv2YA6VFHRN7eCVCEpcR9zURG:4RLq/TvnaNwFCleCVCEpw9zx
                                                                                                                                                                                                                                        MD5:1EC59746C207B75224D1C170AB65D5D9
                                                                                                                                                                                                                                        SHA1:106EF6FB34DC9B2555A8723603828ADB736A312D
                                                                                                                                                                                                                                        SHA-256:3526B82CFB921E84C749DC54976503441D09FD36F569A0D574FB6819510AB7CA
                                                                                                                                                                                                                                        SHA-512:1DC5606DC607A349DB6A462D317CFCFAEC5D0444479FBC2B8C7F01D2E0E2443711C2E9DD0FAE7A702FB27ADA10DB52CFCDF2D5D7AA4C704911CC4B11516DF829
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ...................................................P......#G....`...@......@............... ...............................................&...)...@..........T...............................................................H............text...`........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18192
                                                                                                                                                                                                                                        Entropy (8bit):6.628514917253588
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:c5y7UByGe9xCEV6mW8/NWMYA6VFHRN7/5FDR9z7WGM:saUByGePrVFClTl9zq
                                                                                                                                                                                                                                        MD5:C692B087C3167E7263397E9B34E94332
                                                                                                                                                                                                                                        SHA1:105D78B07E06E1C28AB69DC7E8CF4A7F6A71AFC3
                                                                                                                                                                                                                                        SHA-256:59692C49D72030F5259052EFAC5BD88BC2D3471450D3F081D64F1E60E2C502E2
                                                                                                                                                                                                                                        SHA-512:8484AF16073C9CDE88E67BECBE2C1C126FC4761323C7A2AD71D869447649A8529D23A3CB779F34E1FE388A0004BD9FEC4B801E1FBB8B527BC39BAC97AE48C2E7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............3... ........@.. ....................................`.................................<3..O....@...................)...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P .......................................O...u..?...[\.....2..[ y..m....>...,....m..9..GS6...B0d:..]u^...O..E.......a.7F.......i.4#....iH..+..E.y%.Bc...Hm....n..BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.822445014968599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:NHx15LTIWASmWOpWjA6Kr4PFHnhWgN7agWyA8RwX01k9z3AeJRf/R6Lv:NR15LTIWASmWOYA6VFHRN7a9R9zrJRw
                                                                                                                                                                                                                                        MD5:80FC1F4FCBAEBFB32BC62687AB95A9BD
                                                                                                                                                                                                                                        SHA1:C20C3D1039A0B374393694CF0A7921B3FFB54161
                                                                                                                                                                                                                                        SHA-256:6DE0F580DBCCB63C2B6053AC81CDAFD7FDF5C8A1B177D336DD75D9E1DD176E0D
                                                                                                                                                                                                                                        SHA-512:B4E8AED6A8F81F3E7DD206FCCF06BE65E6186700CCDCBD741B08172AE7D6F74EDF2241E59AFDFDCA212DC5AE01B5399AF79F150D4BFDC0D8784714DC930CA133
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wi............"!..0..............)... ........@.. ....................................`.................................|)..O....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................t.[.%{*.d*&.WQ.O.!......."...F.z.NQiqD.....v...gCI?r.U............h.\</]....a..q}V.....d...t.S.. .I..7.^,s.....9..t..&..q.BSJB............v4.0.30319......`.......#~..L.......#Strings....P.......#GUID...`.......#Blob......................3................................................(.x.....x...f.F.................'.........L...........a.......................H.....z.....|.x.................@.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32008
                                                                                                                                                                                                                                        Entropy (8bit):6.450786767544824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JYWHcUWW2i5ctERQXIG6KMWFYpmGRIOBB/rSYA6VFHRN792R9zza+X:Jm8SAKMWFkmGakB2FCl9K9zL
                                                                                                                                                                                                                                        MD5:25B91230BE0B6D4FAC1B999ECF8FC76C
                                                                                                                                                                                                                                        SHA1:2D943785738A21D9C2026726C8500A606E022D8E
                                                                                                                                                                                                                                        SHA-256:1A536B20C7FD07A4B156C6C68048AAB24BDDC19786C98704E7EF11FBDDACCA0C
                                                                                                                                                                                                                                        SHA-512:B3AAE1F551B4CE642BF5B347F35186A1F7B8BE08F4F186971FB3D99991C24E5F04BDBFC70EF4A46DB87A420C95ED9E3C1AE0A7B893D5C7B5CF9A5193B1D4D64F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...j..........." .....H...........................................................+....`...@......@............... ......................................H........T...)...p..p.......T...............................................................H............text....F.......H.................. ..`.data........`.......J..............@....reloc..p....p.......R..............@..B............................................0...........................p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51984
                                                                                                                                                                                                                                        Entropy (8bit):6.480267391585499
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:sBfoK6fKUINsWW/z2rg8Z61rvZqhwFLXFMjKYuPt3FClT9zL:sBfoWUINcz2r1GqhwFLFMjKPPt1i5zL
                                                                                                                                                                                                                                        MD5:88512250F0E7ED903BFA2A457CCFBE9F
                                                                                                                                                                                                                                        SHA1:9020853BFD6C297AFCECDD12AF6014A57111DE7A
                                                                                                                                                                                                                                        SHA-256:BDA3738F6C45B50862D09DDE795B4FD27E31815DDC8918A16F63B2C4BACA5FB2
                                                                                                                                                                                                                                        SHA-512:B4419F8431B756B4262195013068E4E851A17B49972C9E3112BAF2C22EDF795E82C614A4B2BBA0613E60E873FC8093EA302E18F68B8E85FFB3504D04A9DBEAA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............." ......................................................................`...@......@............... ....................................... ..P........)..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...I.n.t.e.r.o.p.S.e.r.v.i.c.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.677337531505305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:tTBV9nrJAlvWmpLWNpWjA6Kr4PFHnhWgN7agWySnE8RwX01k9z3AeJR7oA5k:D1QvWmpLWNYA6VFHRN7+E9R9zrJR7o7
                                                                                                                                                                                                                                        MD5:514CEF61159B16DE1FDAED7056A3E0D9
                                                                                                                                                                                                                                        SHA1:7ED1FB6A569A7C9E8507876A094334CF9F3B0969
                                                                                                                                                                                                                                        SHA-256:A421933A4B9EEA4170EE68EF1754DBA590970599CA2F5B52F92DE7B0DC2769AF
                                                                                                                                                                                                                                        SHA-512:4450BB36331EF7B9F08F7527E3C3509393CBD58CAA27B1BDD877204CF0934C684CB78D81231B94868524AC5F031AC3E8DF234F55567CDF54691510CB2184D6BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ..............................~z....`.................................d-..W....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P .......................................l....@..... 22....8..0..4|....."...~e._.=..x.?..1.....d.........*>]wD..3..g.f.."J...-.B.4..."w....S.|...z.a..G..6..7s.$.BSJB............v4.0.30319......`.......#~..<.......#Strings....$.......#GUID...4.......#Blob......................3................................9.............................p.........?.....g...................1.....1...}.1...4.1.....1...X.1...u.1.....1...(.1...O.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Loader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.727108508133854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UW0SQaRxxocuW5yGWLpWjA6Kr4PFHnhWgN7acW66NqPY00pyEuX01k9z3AL68ZIR:UUQW6JW5yGWLYA6VFHRN7fEpcR9zUU/
                                                                                                                                                                                                                                        MD5:2724E3263871899F2684D8B2432A370C
                                                                                                                                                                                                                                        SHA1:F5A9EDDFFC2BF60D77BB194BBDBB6CDF5D353A52
                                                                                                                                                                                                                                        SHA-256:69F2DA7C2A3EA6F0C742EBBDD422ECE10D050B982424773C9E07368E06401592
                                                                                                                                                                                                                                        SHA-512:329DF6407F7A69F85318D656092A5F78C78ACCA8F998290DBCB159E4D7E9F8616939E91536A94606F71DFDFD75B2E410D07CABB8D4B018F9A3122140DF1263A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........."!..0..............*... ........@.. ....................................`.................................8*..S....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ......................P .............................................:..1.,c..D....p1..7.......Z.O..$.....*i.mCd7=w........ ....J..g....1:.V.Rv.M....F..}.h5........f)#&.c...,......vBSJB............v4.0.30319......`... ...#~..........#Strings............#GUID...........#Blob......................3..................................................,...4.,...p.....L.......R.........t.....l.....V.....V.................................................,...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):221960
                                                                                                                                                                                                                                        Entropy (8bit):6.872789919122551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:d1Bg53qlzkOGjMD1jUZVEJrSALXuDcWro1CS:jBgxqlz1GgDRKVEJOIuDcWcCS
                                                                                                                                                                                                                                        MD5:C1D83BB993CA11B212B0B44576DD31E3
                                                                                                                                                                                                                                        SHA1:E819306131C8FDEB9CF89DDB0C9DAAA5B517BF22
                                                                                                                                                                                                                                        SHA-256:CD2F87FC4EA7F88B52EB8521EDE7D36B80BB329FAA8DE163BC0C0491832D0F74
                                                                                                                                                                                                                                        SHA-512:29D3EA8C257893095C6B076F1F17D903A74EF7E7AD4AE52C87B7746168BEAB1D828D2EEB037FC1AF76C5CBC2A61629F04873248A96456340EFDAB1EE96341692
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......... ...............................................`......~t....`...@......@............... .......................................T..x....:...)...P......P...T...............................................................H............text...1........................... ..`.data...P....0......................@....reloc.......P.......6..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...N.u.m.e.r.i.c.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):322824
                                                                                                                                                                                                                                        Entropy (8bit):6.695090576962379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:5vZzvy5t66x3yEHAc1mZdOqZYqdKfR8wwWRwG/Y14CFYHQ9B7B:/vSiEHAc1mZ4q0uRawG+dz9B7B
                                                                                                                                                                                                                                        MD5:025DB3101A59BB29AFE8FCDC33D5590A
                                                                                                                                                                                                                                        SHA1:0AB913D0EEDAB18146897D866EBF785C78681439
                                                                                                                                                                                                                                        SHA-256:B7BA1AA2D0276DEDA176C1AD572C3C4FAD224FFCFEFC045896B52AD730673EB7
                                                                                                                                                                                                                                        SHA-512:3E3B9CE99C4BAC8E4B00C38E93DE59EAFBD0651F03A5E25E51916D399318B958FDCAF95AB961688C1318E117727E1D12EA2C43F0EBF79E4E0126CB3B113B924C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....V..........." .....p...R............................................................`...@......@............... .......................................o...........)......(....&..T...............................................................H............text....n.......p.................. ..`.data....I.......J...r..............@....reloc..(...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...F.o.r.m.a.t.t.e.r.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.730609288657777
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kB9qNyVWbuPdB5W2YA6VFHRN7wYVMR9z2vn/:iayWudBzFClwv9zwn/
                                                                                                                                                                                                                                        MD5:686CD3BE26B4649484D56031B21627FC
                                                                                                                                                                                                                                        SHA1:4CE1F71FBCFAEE92A0D38F32BCACE1C4D077A488
                                                                                                                                                                                                                                        SHA-256:069AFF3EC1D53B0A2255DE6243A057E9B00AC6D01479F35382B2B16BB57A23A2
                                                                                                                                                                                                                                        SHA-512:9596C529CD67B37E7CBEEA03496B17DF4CD56D2519AB715D57290EADDA16D8CF72CD9F7A5E18AE10CA5787B856667BB9B05EC636C88DF1B4D8EEE2163FC3017D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O?..........."!..0.............~*... ........@.. ..............................UH....`.................................,*..O....@...................)...`......h)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ........................................_...DGw......GA..=..-G]V.....=.na........O.[.0.l'5d..a9.q4.+.*..v.2.cE.T...161..(O.........?.5..K. "....-...4.^y.'m..[.BSJB............v4.0.30319......`.......#~..|...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.....a.......O.....O...w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28944
                                                                                                                                                                                                                                        Entropy (8bit):6.471330473213999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MHWFIBJBrW8trwhWKH0sdznMbKF+87makO2akSMHHDHEHsObEruYA6VFHRN7HqR4:MqCJBZtrelWW+8d8KnFClHG9ze
                                                                                                                                                                                                                                        MD5:A1968D6A862286C05F86EAC22F21B8C3
                                                                                                                                                                                                                                        SHA1:D23A410A8A4450EACE5AA230E088ACEB6743B29C
                                                                                                                                                                                                                                        SHA-256:938F43DB59DBED4F306492750DF1CA32B2F5F487AC00F1DCCF27830231F2DCB6
                                                                                                                                                                                                                                        SHA-512:8060EC092E97041AEC48E9F23BD27F8E8555161A74C213E182104E65F2B80E2285EB73F6A69EA4BFD8903936C59F958DE2F48AE297AF66942C6BE861B9C27DF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....@...................................................p............`...@......@............... ...............................................H...)...`..(.......T...............................................................H............text....>.......@.................. ..`.data........P.......B..............@....reloc..(....`.......F..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.762030084243297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:guYklmI8N5vBRMWsB4BBgWGYA6VFHRN72kFDR9z7WsKkR:OklmI8N55Ri6BBEFCldl9zn
                                                                                                                                                                                                                                        MD5:53330C1C8FD918CA2141C0039D72BC1B
                                                                                                                                                                                                                                        SHA1:51B86E844A3655398ED9DE18D7490429BB0F1E6E
                                                                                                                                                                                                                                        SHA-256:0F8A0BCEFBC1F0E854CFCDBA028C53C8D658B3CAA26706DE6D1BC89A92CB4C22
                                                                                                                                                                                                                                        SHA-512:D4F1CA15CE03EC02BD009B0D5E03612AF2C34C19E8D50F2CFE39C6CFD9C7D687CC95292F5A5548A11C7ECB3339BA816659BE535B6403B2F3BC955E8587DAE199
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............-... ........@.. ...............................v....`.................................p-..K....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P .........................................].h......[..ja-R......Q....GD..>.U ...x..6.;...-.a.9.>_...J../.A...D.}Udr..mV......Q.....E.8.Sv..V7.Ov.5`.Z..XN.Q>EBSJB............v4.0.30319......`...d...#~......d...#Strings....(.......#GUID...8.......#Blob......................3..................................................f.....f...W.;.................Q.........=...........R.......................9.....k.....m.f.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17672
                                                                                                                                                                                                                                        Entropy (8bit):6.6341633149040415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:y6EvDj8NluLWgMM4BHWdYA6VFHRN7J/ecTR9z6Dw/:y6EvDj8NsPP4BGFClVzV9z2W
                                                                                                                                                                                                                                        MD5:C68962D082AF9B2AA66574EB7CC19E32
                                                                                                                                                                                                                                        SHA1:EB28F7AE0ADAB40F950098E6AC4C24EFA7A16031
                                                                                                                                                                                                                                        SHA-256:62C5827EB74A101342D3C02EC909B6F9F2CEF8C871A21AF93129BDAA16003EB7
                                                                                                                                                                                                                                        SHA-512:99BB410F23E4FD2AD46F8ECAE38C881BBAB0A6252DEFB25EB53CFF659323586A28B269B1061B04E23D0433F4E62D8E4A5260C0E80DF5C79A6DC19C137E06B4C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ..............................B.....`..................................0..O....@...................)...`......./..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......P ......................./......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....................f.......t...............7.......t...=.t...M.t.....t...B.t.....t.....t.....t.....t...e.w...&.w...r.........................T.....T.....T...).T...1.T...9.T...A.T...I.T...Q.T...Y.T...a.T...i.T...q.T...y.T.....T. ...T.....T...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42768
                                                                                                                                                                                                                                        Entropy (8bit):5.818262385725449
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:YBV0jdpFKYl5f4bGRi2xVbcVT4p8JOaFCl6l9zPh:kedGYl5f4bGR3G04OWi63zZ
                                                                                                                                                                                                                                        MD5:B515896FEB8F4B378E9F6FEE22F5F1E6
                                                                                                                                                                                                                                        SHA1:348411DE58A4156B649EE9C6277B2735D88345D5
                                                                                                                                                                                                                                        SHA-256:6B9AF60B2B7947B7B960EF3012ADC7A81E5ACF6E990BC3FE6AF51CB13E07F91C
                                                                                                                                                                                                                                        SHA-512:9889D61E5F03A59B54E80D2DB49606D13DD5AFCF45E0EAEA4EFD34BF46C66FE30780A68DBD920C0C1424855AC51F62DD836D010902573113C8E93869DB6A9C09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yU............"!..0..t..........^.... ........@.. ...............................l....`.....................................W.......X............~...)..........d...8............................................ ............... ..H............text...dr... ...t.................. ..`.rsrc...X............v..............@..@.reloc...............|..............@..B................@.......H........ ...p..................P ..........................................`.).v..v....2..#TU.eMX=.I..r...k@$.#...```.S.J...D5..........'..@......7...k.%Y........ 3*.j.......eV.{.3>..g....G.~|]iBSJB............v4.0.30319......`...l0..#~...0...=..#Strings.....m......#GUID....m......#Blob......................3................................T...............'.[3..".[3.....2...3....e.....>.. ....<3....<3....j!....j!....j!....j!....j!..q.j!....j!....j!..R.j!..&.[3..........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215336
                                                                                                                                                                                                                                        Entropy (8bit):6.694443379581404
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:LcFFAFBS7nsE9WXBeAJRAipIx7kgmlZnFW2iBeVICTiupU8TVUnVZ5PDMXZoKcQf:K7sE9kesRA2imlZo2XZcn3m
                                                                                                                                                                                                                                        MD5:9845B4D023FABDEFCFECDA062FC68781
                                                                                                                                                                                                                                        SHA1:DF17714A108EE4E81F8E0B32F3AECEA03ACB9157
                                                                                                                                                                                                                                        SHA-256:57F85C61E832FD5DDB91A3C161939CD8DB72A8A6DE449A83F5C3070E6DACF48D
                                                                                                                                                                                                                                        SHA-512:49F186BD9DA01A378D9DCB1D9EF575A653B0A6779F3196FE318E6C47661857BF2A15231B0FB552014D1F3DB7F04AB990B344DC7F354711ECB1321FE40BE16786
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|..........." .........$...............................................@............`...@......@............... ......................................@W..p.... ..()...0.......#..T...............................................................H............text............................... ..`.data...n........ ..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):94480
                                                                                                                                                                                                                                        Entropy (8bit):6.450155185151261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:vv1N9Mf5d/pMIJ7nZUyOuX3Gpafbqb9/8kGOQwQ7rzUU3q2bP6vOVFp6i/3zi:vNnMf5dhbJ3OuX3GpEbq5hOVys3m
                                                                                                                                                                                                                                        MD5:4CD484994224EC26CC86A61743DBFE6B
                                                                                                                                                                                                                                        SHA1:1BE9B7AA319B5F20FCA74C98BF57758FF7FCEDB6
                                                                                                                                                                                                                                        SHA-256:BC4EDCFC6BB6D79E110FBA0D203D96B5436D99969AD71C76A423A79410378A0F
                                                                                                                                                                                                                                        SHA-512:8CADDE72709AA52921C6175517B6DCC51D97D4207A1833A6071B876CFDC71BE0EFEF2CA65EB99E5B705A85E4F07CE363A0BBB55BC38C4BD6BE1483A5A871D6C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...T............." .....4...................................................p............`...@......@............... .......................................-..<....H...)...`..<...h...T...............................................................H............text...T2.......4.................. ..`.data...!....P.......6..............@....reloc..<....`.......F..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.l.a.i.m.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):808712
                                                                                                                                                                                                                                        Entropy (8bit):6.664977714687645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:H9Dux8VLSQjVqSlDrd5BpwxL55pskx5d7Cil:Htux8VLSQjVqSlDrd5BOxjmkx5d7CC
                                                                                                                                                                                                                                        MD5:5475964C62302DFD0A25A7243A9515CE
                                                                                                                                                                                                                                        SHA1:2E4FF863094D9E72BB1454066002DCA346A290F1
                                                                                                                                                                                                                                        SHA-256:B9720FCA323DD3B0169ABF221692C7A3F236FAF90C5694E10FA2806B5E41FD03
                                                                                                                                                                                                                                        SHA-512:2FEEC780CA49E2E018C26C9BC43FC0D6CFBEC590318437621C65C7B155EE233FD34B7534E515F0967B4110CC2077CDA0C01E8232C3C5C0B5128FF25709C656E7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;............." .........................................................@......A.....`...@......@............... .......................................)...Y.......)...0..$....B..T...............................................................H............text...k........................... ..`.data...#~..........................@....reloc..$....0......."..............@..B............................................0.......................|...4.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...p.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):486664
                                                                                                                                                                                                                                        Entropy (8bit):6.690959844635634
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:SLV6FPkjfmpzkb1gH0BEuUWZpQmMcxhRl3W1E:RHFcY0BEuUWHQmMcxhC1E
                                                                                                                                                                                                                                        MD5:6285B8AFEAF9C4ECC2519A2ABCDA4A5D
                                                                                                                                                                                                                                        SHA1:AF11E8E1F8E904C93C47A28CDC606E66D2AB9C38
                                                                                                                                                                                                                                        SHA-256:B48DC65ABE78E81118D4C382C80650F5AE0D99AB6FBEBCD4DEAAB00FF7E0DBB8
                                                                                                                                                                                                                                        SHA-512:78DF10774CF735C6518E91D50ED5B2A0906F1174CF5F7A42B3328C5B688980540576F43BA73B133E2D2C1DB57D0A1AF8D1880DE02F234EBDC57B6F2E2D5400C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<............" .........Z...............................................p.......J....`...@......@............... ..................................h........2...D...)...`......(0..T...........................................................h...H............text............................... ..`.data....P.......R..................@....reloc.......`.......<..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):189616
                                                                                                                                                                                                                                        Entropy (8bit):6.63337493461881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:G6RmWBsH04GekCQUVP2xrwjy09JN/KBWAUQ335BotiEqKaMJDByGjLz:aWBs3jikjUBotrJMGjv
                                                                                                                                                                                                                                        MD5:6DA6288454299B3A91665D9A3FFD66BD
                                                                                                                                                                                                                                        SHA1:D2E26B1D89E7817899F6AD2898AC704CC6F2CD59
                                                                                                                                                                                                                                        SHA-256:89B1575E5F32F368B53496A3F15529FEDE58C0324E1A12FCD20609D6CA4DAA63
                                                                                                                                                                                                                                        SHA-512:A0301422806C16AA8990AC2936EB62468E089F4786909C41EAFDC4E6B0A40DBB7D3E1D544A954C705E8584E22FF30172A9909A860BACBC41C234BB640892949C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ................................................................\.....`...@......@............... ..................................h...lO..X........(..........."..T...........................................................h...H............text.............................. ..`.data....).......*..................@....reloc..............................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93960
                                                                                                                                                                                                                                        Entropy (8bit):6.412269331705843
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Rh4T10wJ4hT5wzwW7c1LyoOeSRzxIdvaJyiyTzk0:R8SH5wzXcLyheSRzxavaQjTY0
                                                                                                                                                                                                                                        MD5:C048A59F3891B02B3BC8A194F3D21026
                                                                                                                                                                                                                                        SHA1:30D9CEB4188CF4A4B17138CAEFD3B2451B05D292
                                                                                                                                                                                                                                        SHA-256:59FAD34EEEE26623D44EE9D541D0E53D89A4D8A42BFF59FE466950A771BF4CFB
                                                                                                                                                                                                                                        SHA-512:27674625D2D249BF794DBC7F893FA403245A78B3D3DE7E32C72EC9CC7F496C2AF6752FC87B4599462128BDCBDDDF459C6754E1FDFF6148E0EFB7255FF72DE270
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....&...................................................p.......|....`...@......@............... .......................................*..\....F...)...`..(.......T...............................................................H............text...C%.......&.................. ..`.data........@.......(..............@....reloc..(....`.......D..............@..B............................................0.......................p...(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...d.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32008
                                                                                                                                                                                                                                        Entropy (8bit):6.247706814220908
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:h9WAmkijRW8bwPV0D/F/pQ+1+HCeqtwlSYmxNOcVIFN2PiYA6VFHRN7xRxB+R9zD:ALeqylSYm71VI6qFClxRxw9zfr
                                                                                                                                                                                                                                        MD5:9648F56C224A96801B518AE5386AA184
                                                                                                                                                                                                                                        SHA1:9896F6B1D9A296BA0FF244A555814D52D914431C
                                                                                                                                                                                                                                        SHA-256:FFF0AAE4CAB8C18D606E6246FE42F290143DB0D3A88A1A1229A77D8BD8441E67
                                                                                                                                                                                                                                        SHA-512:C73F115BB4D0F40FF4723B634F74B909F29142A930B90431FA4395B7A6EE4FF3A5715A9D141D92D56448578D6A325637207644A330DA92D2756D363840D8AE8D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....N..........................................................j.....`...@......@............... ......................................@........T...)...p..........T...............................................................H............text...'L.......N.................. ..`.data........`.......P..............@....reloc.......p.......R..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...b.%...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...O.p.e.n.S.s.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...r.%...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):134832
                                                                                                                                                                                                                                        Entropy (8bit):6.565847770018715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:nmpOj/BZX3krpmsUjMM+JbVUowS0hcbGWbrrrrrrrrrrrrrrrrrrrrrrrrrrrrr0:OOzBZXCPMpcbGnKk
                                                                                                                                                                                                                                        MD5:5CF4F3F906B7DC346D47B0796B2D621D
                                                                                                                                                                                                                                        SHA1:FCF0DE67C5D07ACE0D8951C2537636F99DE8D300
                                                                                                                                                                                                                                        SHA-256:77ED6C9832BBECAE32FE536D891EDA847405FA6AFE8801BE05B37FF6F759D299
                                                                                                                                                                                                                                        SHA-512:B9F501D60EB7CF60480D2BA9F2115FB99A88E9D2014E36FB49CEE0654C4FF79E219A7F3E0E838E6902ECDE1187386C0819A39B88CE171B4207724EC05C39287A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....e............" .........(......................................................N.....`...@......@............... .......................................;...........(......d.......T...............................................................H............text...T........................... ..`.data....".......$..................@....reloc..d...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):569112
                                                                                                                                                                                                                                        Entropy (8bit):6.705893750506672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vAcy1XypsaHU2lIwi3iX4MbITp9whYDgPbxmBVWDw7nzNZwz:vsXyG6U2l0yYDgPbxmfWDwrT2
                                                                                                                                                                                                                                        MD5:AD8966E489A4FEB1AD013A6B8A193D1D
                                                                                                                                                                                                                                        SHA1:354514606D252A88BC71D04DBBA4353C14B99FB9
                                                                                                                                                                                                                                        SHA-256:78D5ADA7A18329B9902DFBB0AFD4F2D3A56A761D1A25E28BE0959B9C7E856783
                                                                                                                                                                                                                                        SHA-512:E211E153EB349C249750172DBEFA48DEC4CE01D8A935D353C37C61E7E04B373A7C76C7E8D2CCA2FCF8DE77DC0BB6C3ABAF54829FC993DC80263C511EBF4BBF33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]............" ................................................................zc....`...@......@............... ......................................X...@8.......)..........p4..T...............................................................H............text............................... ..`.data...............................@....reloc...............z..............@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):151712
                                                                                                                                                                                                                                        Entropy (8bit):6.659992108362537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bhGUnc0ENS370LLFNAzreyfs2A1upqcyeeRAr:lvc5Np5N1Os2fmI
                                                                                                                                                                                                                                        MD5:64AEB21B8C192B802F2C7DBF18F9C2E0
                                                                                                                                                                                                                                        SHA1:3740D3BC11D4F46909FE0F552B146B473922D70C
                                                                                                                                                                                                                                        SHA-256:2DA3E9DCA14992E113B470A0D711A51FD265D7775D9AFFA7DBDF6BEC929601C0
                                                                                                                                                                                                                                        SHA-512:BC979D59F8F3D3AE8B0E7E9E4A7F76A6BE08D48A8940B014CDEA532B6EF10DA2DBE9D528A4F2ADEDF98D23C3A5B287F1570B1A0CDCC68FEEC5D7C1C3C0351425
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....J............" .........$...............................................P............`...@......@............... ..................................h....F.......(...(...@..........T...........................................................h...H............text...e........................... ..`.data...U.... ... ..................@....reloc.......@.......$..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.835682351794018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mFQiRxx1WjWVUFfW+WHWxNzx95jmHnhWgN7acWel9HeAwKUWX01k9z3Aia+6w7Eu:mT/EWiFfWTIX6HRN753HO2R9zza+d1
                                                                                                                                                                                                                                        MD5:66B8459A7C59846CD44FF73680C4D57C
                                                                                                                                                                                                                                        SHA1:5521416312890B86C416345F22DA8E1322E2F8E5
                                                                                                                                                                                                                                        SHA-256:10BDF418B380871231F3DB7EC68D756E5935D4EF39F97C017B07E5A4308C7468
                                                                                                                                                                                                                                        SHA-512:6BF64AFD3EA6D2D3EEF3EE8D278FC6504E7DB694AFDD5191883C3690B76C67F4F234F0B6CDF4945A5A705BC1B90A9C29D9CA4F3066AF18BEC2179230CC85AFF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i............."!..0..............)... ........@.. ....................................`..................................)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................H.....+C........Pe..w.G.....Rq...H...O..d.(.^...d...=m}..o.....d.32...r5\.%4u...l[....`P....5.pq:._..c5k.j...MDRBSJB............v4.0.30319......`.......#~..X.......#Strings....X.......#GUID...h.......#Blob......................3......................................F........."...........;...........f.......d.................k...!.k.....k...[.k.....k.....k.....k...B.k...O.k...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.8222624190824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:sXt7kBrr7Hxo5qW193WZpWjA6Kr4PFHnhWgN7agWF1tfKUSIX01k9z3ARq/c9:yterFiqW193WZYA6VFHRN72D2IR9zoH
                                                                                                                                                                                                                                        MD5:D250B5CDEAD6EB54586E910070B68674
                                                                                                                                                                                                                                        SHA1:68B939B43A46DB57F4B500CB51A9A976EFC0862B
                                                                                                                                                                                                                                        SHA-256:E0BC424EFD7068DFC45FEA7CB30AE38D0B1A654CC74EF6C1D501D2CE688F6E07
                                                                                                                                                                                                                                        SHA-512:DF8AFF3A868831E4F4F39385300D4B702C0321CF15E8D0B38A5059D44C454B21C8C82BA4D26CA6A2966DE9DB8E963788921B34896CAA357FEB3F39E50541131A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........."!..0..............)... ........@.. ..............................r.....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................e.v...v..aNd.7...?.<j..l...2CeD?.i...s-.0y.Y.C........5T.h............}!...J%q4m.$........Q4.....A......2...'.d....dBSJB............v4.0.30319......`.......#~..P.......#Strings....4.......#GUID...D.......#Blob......................3......................................2.....................3.r.........^.......S.................Z.....Z.....Z...S.Z.....Z...w.Z.....Z...:.Z...G.Z...n.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18696
                                                                                                                                                                                                                                        Entropy (8bit):6.605933383250857
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:p+rueDGLr3WsBDWuxYA6VFHRN72FNbZR9zahhe:teDGPpvFCl2FFT9zse
                                                                                                                                                                                                                                        MD5:05968C5075CF8057D3330A93AA54CF64
                                                                                                                                                                                                                                        SHA1:D7AD923779991EFFA838F107F949358B36AE1B99
                                                                                                                                                                                                                                        SHA-256:E9FE6E6B9C8F6FED5C3E44D094742F762E67528FF943FEFB52D03B0422D4F8A0
                                                                                                                                                                                                                                        SHA-512:2EB2925D269A1C09A1BF5012563A3509322C16CC68B04B3210EB47FA7A92DDC78D23C3CBAD99D4E2A3F326CD6CE4F3723980D834FE917173B0BFEA3AA45786AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............^5... ...@....... ..............................+W....`..................................5..O....@..X............ ...)...`......44..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................?5......H.......P ..d....................3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......H...#Blob............T.........3....................................O.................p...~.p.....;...............O.=.....}.....}...e.}.....}.....}...'.}...D.}.....}.....}...n.................7.p.................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'...y.'.....'. ...'.....'...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17680
                                                                                                                                                                                                                                        Entropy (8bit):6.6083676504439905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AiSEs6760DX88Hg10WGlD5WdpWjA6Kr4PFHnhWgN7agW43fKUSIX01k9z3ARq+da:Axj10WyD5WdYA6VFHRN7xP2IR9zojda
                                                                                                                                                                                                                                        MD5:8D40E6093D4EB840E2480D6E383EB442
                                                                                                                                                                                                                                        SHA1:2EA0372488E3EFCFAB7074751DF8B60309DDBB0C
                                                                                                                                                                                                                                        SHA-256:9DDCC239CE0E75AA7845E6DE8B31ADAA25C6B5EEE78D75EE904CDBBED7C7BBA0
                                                                                                                                                                                                                                        SHA-512:9FCC45BDDCF4B187B15C8EDA5E6CA40D7825B7A6D1142772EEA9B70A1F9967D7A9C709E513B0EB91A2200F301A72F356142408861DC4FEA27AA0CF825C64A838
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................J....`................................../..O....@...................)...`..........T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ......................`.......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................&.................................%.....?.....^.......S.....S...t.S...+.S.....S...X.S...u.S.....S...(.S...D.H.....H.........F.......{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.715278782126483
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:alWpWnizlpFWqYA6VFHRN7qcTR9z6IkON:a4lFCl3V9zGON
                                                                                                                                                                                                                                        MD5:AA81502801E5AF25A5F74303D00A755A
                                                                                                                                                                                                                                        SHA1:590784EF4329D7F411979FFB77EA673C03B0539B
                                                                                                                                                                                                                                        SHA-256:F72F7BC1E1F16D3CF4F6C3162862F7F97B9108186BBD929B55DD94E6E98584D4
                                                                                                                                                                                                                                        SHA-512:509F31F1487081DD1D2B303B9C2F60E1620AF7D1D999A036B4B91FEAB085CD86101453E552993D1B913C5239AD575CC224708B3B6E23054E2E139B86CB66125B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.6..........." ..0..............,... ...@....... ..............................SS....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ......................H+......................................BSJB............v4.0.30319......l.......#~..<...X...#Strings............#US.........#GUID.......P...#Blob............T.........3..........................................o...........w...7.w...v.d...........U.........~.....B.................a...................................".....\.H.....w.................^.....^.....^...).^...1.^...9.^...A.^...I.^...Q.^...Y.^...a.^...i.^...q.^...y.^.....^. ...^.....^...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871176
                                                                                                                                                                                                                                        Entropy (8bit):7.50414684491355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:L47xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPfREDfP7/1qiVhIWCC:LK9km6k/IwRYbiBeKGCUREDrZV2hC
                                                                                                                                                                                                                                        MD5:9D199E9F27CB473674BAB5BFC70F6871
                                                                                                                                                                                                                                        SHA1:F7069C033BB340E81C1BE7BD4BC062EE21347B09
                                                                                                                                                                                                                                        SHA-256:5FA8A35279B15DE005337AC2B59CDE11A147C21143B12564A453F1CD44566170
                                                                                                                                                                                                                                        SHA-512:D46DA52295442A82DFDD6BD3CBB2949A79CD8B51B31EB1E176476E455D216D1C7ED55ED6F4B44289A3081C8A9C06020DE29C8F0D0D22CA40AAC117D043F740CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....g_..........." .........&...............................................P............`...@......@............... ......................................LJ..L...."...)...@......."..T...............................................................H............text............................... ..`.data.... ......."..................@....reloc.......@......................@..B............................................0...........................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.7268764981814115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mNZvlXIW6zJWUYA6VFHRN7cUvY2IR9zoOaC:4s1FClZvbU9z3X
                                                                                                                                                                                                                                        MD5:DB5F67EC7D4CEFE625549E650C2B783D
                                                                                                                                                                                                                                        SHA1:0EE4FB5F26575B570122AE3C9A184DDD0B3EBA49
                                                                                                                                                                                                                                        SHA-256:3CC4AFFE60DC1DE5F66706B39A24D7E96D708A463A9A92A05288D6BA246E09E5
                                                                                                                                                                                                                                        SHA-512:4D86E8E161CEFB0596F1D98D52D18107CE51D6155D42C1BDDC200710BCA88317B01B2E0E84C39E85E7E70E9023B2AFB2E79737F3ED32973EB0D3106806F4247A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n............."!..0.............n*... ........@.. ..............................\.....`..................................*..O....@...................)...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................Q.(..e.NMO`._jh[......Js....o H.......0-.....w S...a...6.T..q../..0........,)..@LqS<.......a....hG.X-.o..3./.!...~#.{>.p0.B[...BSJB............v4.0.30319......`... ...#~......H...#Strings............#GUID...........#Blob......................3......................................v.........I...........b.............H.........$.....b...........H...................................i.....v...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16160
                                                                                                                                                                                                                                        Entropy (8bit):6.78497387239177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:d+gBIojxxXjWfPNWRxWxNzx95jmHnhWgN7agWQY/TAgfcMbnoQNpX01k9z3Abte9:dJNjWfPNWRaX6HRN7sT/7R9zCS
                                                                                                                                                                                                                                        MD5:3E33747D79B6584609C60EF5A8318F5A
                                                                                                                                                                                                                                        SHA1:BCA2F7FBF2E45DC02C40C263FEE708624C9102AC
                                                                                                                                                                                                                                        SHA-256:068F309AC98BD15B1EFF243759661CC21F30E1B4CC02CCF8317233FA31D3B7CA
                                                                                                                                                                                                                                        SHA-512:4624C53E6E7F02E4A064FD0239C0B4B8B18A325470E9DFE051600E2CE7B1B53F7C18D5D51BAE978FA2216E0ADD928346EDA41D4F210A3556C7A7761B5D257E83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.{..........."!..0..............+... ........@.. ....................................`.................................P+..K....@.................. )...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................M...V_.".....Y.).......lLj3..l.oh.,...R.M7....Mx.*q.cV]...L.n=..^..1.x...#c...Q...~..m8.y...ACz3.X.k...[.8A.g.n.b}.....BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...,.......#Blob......................3................................................"...........;...........f.............................!...........[.......................B.....O.....v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131376
                                                                                                                                                                                                                                        Entropy (8bit):6.512717394823719
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ze6mI/UjfYxSwKqqOAl/Rn0nzg9RaBiTV:q77jfY8BSza2iV
                                                                                                                                                                                                                                        MD5:F596694C6924FFA61DD21A0F36FDD0BD
                                                                                                                                                                                                                                        SHA1:21C64C8FBDC2AB6065E70E6A500537137FEF60FD
                                                                                                                                                                                                                                        SHA-256:146CC7B373565F4B88558690F9B2132CC308719C72AC2603F7199E0EC6A21FE7
                                                                                                                                                                                                                                        SHA-512:36644B0A2842C8BD5A7EA6F6F435916FD9ADE2F3039AA7C7652E6EA85E41019B0D9470DFA7B1D99A766FE9332521D87605E644FAF9749060C2016277BE89DB66
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}.&..........." ......................................................................`...@......@............... .......................................0..........0)......,...h...T...............................................................H............text............................... ..`.data...K...........................@....reloc..,...........................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .e.n.c.o.d.i.n.g. .a.n.d. .e.s.c.a.p.i.n.g. .s.t.r.i.n.g.s. .f.o.r. .u.s.e. .i.n. .J.a.v.a.S.c.r.i.p.t.,. .H.y.p.e.r.T.e.x.t. .M.a.r.k.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1486120
                                                                                                                                                                                                                                        Entropy (8bit):6.807053388231781
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:BMUw61/OBH5KoaypUegQ/INE5bk9u7hInuKqO:C6mwZAUegqINGg3uY
                                                                                                                                                                                                                                        MD5:4281F86C7DA4EC32A1579D04D1A34467
                                                                                                                                                                                                                                        SHA1:B6D46920575587878DB36A68FEDFA6FEF09A2A27
                                                                                                                                                                                                                                        SHA-256:0EFF9FFCA65F556D8BE24E4EDDA1D08640A6D040082B8D34B993EC292BAC10FF
                                                                                                                                                                                                                                        SHA-512:697E0BA5BF9B97C300E5B66E61608285C1CE0E4B48B52C5BAF5CA33FB0D405F72E2AA5A50C7E6E6B8C5A7D922232189E1EC26F2B967977B74579572D3B772133
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....8...J............................................................`...@......@............... .........................................L.......()..........HP..T...............................................................H............text...x6.......8.................. ..`.data...O....P...0...:..............@....reloc...............j..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....I...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .h.i.g.h.-.p.e.r.f.o.r.m.a.n.c.e. .a.n.d. .l.o.w.-.a.l.l.o.c.a.t.i.n.g. .t.y.p.e.s. .t.h.a.t. .s.e.r.i.a.l.i.z.e. .o.b.j.e.c.t.s. .t.o. .J.a.v.a.S.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):530184
                                                                                                                                                                                                                                        Entropy (8bit):6.7797079476090305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fDaJSWfE1hvpmzn7z/HpVxn87bC/m+VvHKHhiKpwR4wcMPVZ22xS+yLARBf:DW2Yzn7z/HpVxn87e/m6CHhUPVZ2iOL4
                                                                                                                                                                                                                                        MD5:0F128F48BAB6D1D52889BE2FF1EEFED0
                                                                                                                                                                                                                                        SHA1:06A028FABC2691AF5F2E5A661FB78075A0C1C2D8
                                                                                                                                                                                                                                        SHA-256:CBA15580E79FEC0A44337BAD40F35285ABA0C7A02E43EB84EEC3415738105CDF
                                                                                                                                                                                                                                        SHA-512:123C019921C949112A2A944D2A441FF53E7B09E6E14E239656F25B22EDE5520E5DAB877041F8A144F608D4AA3D2E0BA0C4EDE65ED928D5FF7BA63F585534CE55
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....|...p......................................................=&....`...@......@............... ......................................|...|).......)..........0)..T...............................................................H............text....z.......|.................. ..`.data....f.......h...~..............@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.e.x.t...R.e.g.u.l.a.r.E.x.p.r.e.s.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):125208
                                                                                                                                                                                                                                        Entropy (8bit):6.692637451202541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jzHXIurk9aiG9fxBFXRPxlhzKhtTwg8AHWDV5yWR63:n3E695BFXRplhOzwDDjRM
                                                                                                                                                                                                                                        MD5:CB464FDA974470435C4CA140B4FADA57
                                                                                                                                                                                                                                        SHA1:D19EAB3F2D239CB5DF052757838D33332317C136
                                                                                                                                                                                                                                        SHA-256:EC11B988107C97601DE33DEF84F7259A36BC3007FFD9CDB584891114F9B41E46
                                                                                                                                                                                                                                        SHA-512:AEBC1EAA4B2687D24C8A5B408AB16D153B576B9832F41A553F28D576D545451D2259EDBD63960D9D7AD3723D3BA5CE36346089A77E515AB807FA9CD521ED7711
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........*......................................................).....`...@......@............... ......................................T7...........)..............T...............................................................H............text............................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...t.....0.0.0.0.0.4.b.0...8.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .p.a.s.s.i.n.g. .d.a.t.a. .b.e.t.w.e.e.n. .p.r.o.d.u.c.e.r.s. .a.n.d. .c.o.n.s.u.m.e.r.s...........C.o.m.m.o.n.l.y. .U.s.e.d. .T.y.p.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.733717704448286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fDt+HYCHcXuHV2HDHtWcNHWZYA6VFHRN7V04MR9z2WA:TzeFClVU9zxA
                                                                                                                                                                                                                                        MD5:05AF5514B2968C6042C5B14CB5401F23
                                                                                                                                                                                                                                        SHA1:3B5825931632C7CA230CA1FABD9EBAD1C8304EB3
                                                                                                                                                                                                                                        SHA-256:5C1B1C2129E8A201CB583F6595BFD9339D2A6D52F4F371C8013C85147EC94E32
                                                                                                                                                                                                                                        SHA-512:58F41A7BE222226A3BEF4271DF0555C6B6C3668C007153C98ECC422D0113F50FDABA0036A2F285D625B5D93E7DCB3F17BC9AA2C8E1193C353D6453504FFA1AD9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c............."!..0.............n*... ........@.. ..............................."....`..................................*..W....@...................)...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P .......................................3.2.]].4..k...)~ys.t...2.>=..+W.3.l. ..Q..9...."......>drf.mAz..*.=.g..\|EDps.......m..m.c.v%...yJ'-..E...6...*s]:...j.....BSJB............v4.0.30319......`.......#~..x...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c.........t.....}.......c...V.....{.................9.....................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):505608
                                                                                                                                                                                                                                        Entropy (8bit):6.7763170175701335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Q5EzXX03uPIhSTcNO/LSsjM5REz4sr4CGFHD6ioscEu/L2SJkSGskfT5v3P1m9rM:Q5Ib0CGFHuioHEdS2vBb5v30COTxwZ
                                                                                                                                                                                                                                        MD5:E332D97CC4AE5DFC6606640A64E7A766
                                                                                                                                                                                                                                        SHA1:ED7C0E78AEC95A6AE10F9DFA7B62728C06E4744A
                                                                                                                                                                                                                                        SHA-256:3411CCC0B6BA1FF70D550A8B7D2D3A373A79584B36C90C06D7BF400AA74EB39A
                                                                                                                                                                                                                                        SHA-512:900ACB2D761A285D7F0E97C9F548D166535329F722D99B285715F284C0C1392AFBEFF44A9E67DA2DF2866177A6778CA9D4F038C3EFF5560B872DB4398D56F5D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .................................................................6....`...@......@............... ..................................l.......HB.......)..........x"..T...........................................................p...H............text............................... ..`.data...J...........................@....reloc..............................@..B............................................0.......................\.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........t.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...P.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.P.L. .D.a.t.a.f.l.o.w. .p.r.o.m.o.t.e.s. .a.c.t.o.r./.a.g.e.n.t.-.o.r.i.e.n.t.e.d. .d.e.s.i.g.n.s. .t.h.r.o.u.g.h. .p.r.i.m.i.t.i.v.e.s. .f.o.r. .i.n.-.p.r.o.c.e.s.s. .m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.821262984361922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Z7z05p091rcmOD5RnGWSNXW0YA6VFHRN7xWMR9z2cO:Z7gAuEPFClz9zq
                                                                                                                                                                                                                                        MD5:7175CFF820ACB9389C713410DD582063
                                                                                                                                                                                                                                        SHA1:F1C47E2B46084FEFFB44BB88D51A3932FB1F3042
                                                                                                                                                                                                                                        SHA-256:D060226E814A1DDF9F607AFAE51F7D5698F8E435A63FCE107E78239E349BA2AC
                                                                                                                                                                                                                                        SHA-512:BCDEBAE2F49084BC3F5AB9097715235E6C0A2257A783B14EAE49F2BA16DD59DA87CDE24DF5CEE6732194F8146B34B0ED4428BC2847E5ACCDA95FF637EC32A5CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?x............"!..0..............+... ........@.. ..............................l.....`..................................+..K....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ...............................................W'Z.H......l..j.d....&v..j..\.Q_u...]><{Hr..1.+K....L..=........N.....3.M..."*B.8Q.e.....3.~:..L...Qs]..3........jg|BSJB............v4.0.30319......`.......#~......8...#Strings....(.......#GUID...8.......#Blob......................3..................................................z...v.z.....H...............G.......[.....[...............]..........._...........9................./.z.....p.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139024
                                                                                                                                                                                                                                        Entropy (8bit):6.702745878398023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:brCD+EGnNfGAKUDXxT3LBzdQZ4/FJg9C5OR291oVcJUQz:Hw9GNGAKUbxxzKZ8zaCUQ
                                                                                                                                                                                                                                        MD5:906D0531114C584A2E5EA50BDA99DDC2
                                                                                                                                                                                                                                        SHA1:FF650B1743C72683BC0019DB15332D01DE6ED993
                                                                                                                                                                                                                                        SHA-256:BF2C3F9EBC2A48493796F4002984F43E4630A2DB3FD26F70BD79355F3FF1D563
                                                                                                                                                                                                                                        SHA-512:9F50718BA3C3EC370D3AFAB850B962539CD3C84FC222485DE68289129C0443DD880B86CFED46F68CB9860CB8984E9C09386D3B756B908E160FE55CBEEC2D47AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....\..........." .........*............................................... ...........`...@......@............... .......................................;..(........)..............T...............................................................H............text...b........................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g...T.a.s.k.s...P.a.r.a.l.l.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17192
                                                                                                                                                                                                                                        Entropy (8bit):6.7117476098810185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5vCj4AG3tNKiuqFzTR9WHRzWGwYA6VFHRN729WR9zjD:9Cj4LNRuN7wFClF9z/
                                                                                                                                                                                                                                        MD5:0822C689624C42040E5E6F38752AF2C8
                                                                                                                                                                                                                                        SHA1:21002E79AE998FC7B5453C77F09CB036710DBEAD
                                                                                                                                                                                                                                        SHA-256:E9B81690E9D7B3D67C32EB5948D63CC3E1136FF8FA19A19F2A0F5572FF6F8788
                                                                                                                                                                                                                                        SHA-512:1D5D2606C5FEB76EC2187098090DD928C4491EA69A5A46BD5ADAFD2EB8052CAE050F473AA8C078061965960CCBD126543B684EA18EA3D9DD50B8C1C8D0D057D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....L..........."!..0............../... ........@.. ..............................}.....`.................................h/..S....@..................()...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........ ......................P ......................................c.-..6.....f.7.......Y..C..{,.K..V[v|..P....t"......[c@.......l.,.tB.^K.i...$D...M.f.+..Vn.J......l.#......_.b.....S.iP..BSJB............v4.0.30319......`...P...#~......|...#Strings....,.......#GUID...<.......#Blob......................3................................/.....Y.........\.7.....7...u.....W.......&.....t...7.....@...........[...................................|.............7...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.760009477775305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:x6z2EZZV7DiWcZ7WjYA6VFHRN7/QD9R9zrJR+:axa0FClYb9zG
                                                                                                                                                                                                                                        MD5:3661BDD366B6EE1834577CB553D41C88
                                                                                                                                                                                                                                        SHA1:35DB9E13602F99C97F505E12624EFF3E873FD553
                                                                                                                                                                                                                                        SHA-256:E5575C2CFB312E9239978A2D439802F4D8D55C776D10B763ECBE20D2057982E9
                                                                                                                                                                                                                                        SHA-512:43C774556594FBFCC437B1A02FB1C938624E6D379985731A41F78E3782ADA4D8C143D32886794A7ED865FC917378C427DF90144D364F9ECBB8ADDF18CD129FC6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D{B..........."!..0.............>+... ........@.. ....................................`..................................*..W....@...................)...`......4*..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ +......H........ ..d...................P ......................................Lz.F.E.8B.1.@'.....mL.6%"U?B._....s.2.../}}....A.../yt >'\7...8r...v7..]..q.3.P..O.(.....r..E..Z...!@.z.v.......:....j..BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`.............y...0.!...9.!.........T...................................u.............@...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16160
                                                                                                                                                                                                                                        Entropy (8bit):6.712802666065952
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZJ92mRTaW/pBqWEFvWecX6HRN7NtFDR9z7WJFcHv:Zv8v0WNfl9zaFcP
                                                                                                                                                                                                                                        MD5:EC4FF753DA77ED8B2886F1E405A35DBB
                                                                                                                                                                                                                                        SHA1:5EFD154E9DB2D9F5428ED5C7E2CD2E7A6C284641
                                                                                                                                                                                                                                        SHA-256:AA213B5B4B02F04217B98064E0E6C8E67D4CF7297035578A8DEFF06044BC9427
                                                                                                                                                                                                                                        SHA-512:217DCD7F7BAD548BCDBFFAA24B41A56C9CE42BDBF6A08EB1726B58D3CAA0495D8492B3843EA19143D09B7B25B33AA245F45DBF88CC59CA476FBAF9736D977B40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............*... ........@.. ....................................`..................................)..O....@.................. )...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P ......................................~+xk.f..{...,....H...P$../$..U.x"..ve........{`.....[....=QS0...K.A........AX..,.2...L.......GM.....gdt...e..#.`..f...BSJB............v4.0.30319......`.......#~..d... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.............................6...........p.......................W.....d...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                                        Entropy (8bit):6.818215198409436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bRif6GCuqMffMIMWsmCWbkX6HRN7g55f9R9zrJRu/NjB:bR9ufnsWk5X9z2/Nt
                                                                                                                                                                                                                                        MD5:DA63DF1047EC11E67E31B84DA75139F8
                                                                                                                                                                                                                                        SHA1:9806EB4FAE997FD0DBDC8DEEB08A1224B6824DEF
                                                                                                                                                                                                                                        SHA-256:FA32A8375FA17F7B2F2ED34B1ED45330A2506DAF0FAE769B9CBC956E36F38DE6
                                                                                                                                                                                                                                        SHA-512:A605F33DE535ADD828B51D636A1D93D642D5D6C998A9A41C527EB62C57C04C346938D86AFFA14A4ADF7B891B7CD3E8E859E7027BC056C8F40E10D3CAB5B348BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............"!..0..............)... ........@.. ....................................`.................................T)..W....@.................. )...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ...............................................F...d._6....?.woY"...(......r.y...."H!T.....k).%...z...L.a+J.kM...S...;...ew..89.....3Ar.K...^.j..j..'!/....b._BSJB............v4.0.30319......`.......#~..<.......#Strings............#GUID...(.......#Blob......................3......................................(........."...........;.y.........f.......C.................J...!.J.....J...[.J.....J.....J.....J...B.J...O.J...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80144
                                                                                                                                                                                                                                        Entropy (8bit):6.549870749231894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Tc5R35Dx0ibqDo9suGxd1JARH7AWl7iLzn:5A5R3YHDo9gxd12KWl7M7
                                                                                                                                                                                                                                        MD5:217C90BF12B38AEDA557263C7AF4A306
                                                                                                                                                                                                                                        SHA1:56390B1AC126C7BD229EC1B221E7E78BCD35B92F
                                                                                                                                                                                                                                        SHA-256:31F5BB9877E0777AC208A34CB63CF97E4146BF9DDBBB0B8CB451633E7C543F9E
                                                                                                                                                                                                                                        SHA-512:E34AF975E3189846804F2716CDBCD6FFE8D06A6A1D41C9462DFF64DFB79642EE84C944A064E35AD94E9E65B10F0B33CF604928639586137F1F00551AEDD87D7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........." .........................................................0.......Y....`...@......@............... ..................................d....*..\........)... ..$.......T...........................................................h...H............text...K........................... ..`.data...............................@....reloc..$.... ......................@..B............................................0.......................T.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........l.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...H.....0.0.0.0.0.4.b.0...:.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...T.h.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):351520
                                                                                                                                                                                                                                        Entropy (8bit):6.644714489495638
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:rEfCVr/c2WYI0De//sQMd2uAIgeUow53HIt:wf8r02WpMHenlK
                                                                                                                                                                                                                                        MD5:416F763F3F8A2F17177E2609FEEE284A
                                                                                                                                                                                                                                        SHA1:43B261CB27A461949CA6A9BC723696A6CB7A30BF
                                                                                                                                                                                                                                        SHA-256:C62C23429BEE731709EDA16E1986C9BD089B81989E82F9F61D532F815F8C732E
                                                                                                                                                                                                                                        SHA-512:A55B0B2B5196703127A0F36C00021064CCE170D428FD12EFFDA77B09D11932BBA3A92A9FBD8D3CD15F6088FEEF56A65D27E59EE87D4CED59318CF2F62C0CD849
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y............." .........X...............................................P............`...@......@............... .......................................z...3...4.. )...@.......*..T...............................................................H............text...>........................... ..`.data....O.......P..................@....reloc.......@.......,..............@..B............................................0...........................L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...L.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.r.a.n.s.a.c.t.i.o.n.s...L.o.c.a.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...\.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                                        Entropy (8bit):6.676422570015763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:35uFRdU+WzGiWoYA6VFHRN7mhdcTR9z66Q1j:JuFRmqUFClmhmV9zQ
                                                                                                                                                                                                                                        MD5:CF735B049EDD9AECEA6929479D438AB9
                                                                                                                                                                                                                                        SHA1:FE6F3DF934C54DCB28C6C29CD82C42746503031A
                                                                                                                                                                                                                                        SHA-256:EE06ADA630D4799FA5F16A7185890CB660E43ACCF1D377CBA27A3E9C5F83F326
                                                                                                                                                                                                                                        SHA-512:A042CDB90B117777C05DD62E69979F9576682ACE8D8965D1502BACEC5539B36E62AF163EC84C2A1C64E8F55ACFF25E6154FD16C7D52313916080B90B98AD63CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............j/... ...@....... .............................. |....`................................../..O....@..x................)...`......8...T............................................ ............... ..H............text...p.... ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B................K/......H.......P ..h....................-......................................BSJB............v4.0.30319......l.......#~..d...4...#Strings............#US.........#GUID...........#Blob............T.........3....................................$...............f.O.....O...^.<...o.................H.....*.................+.......................r.....,...........D.$.....O.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6...y.6.....6. ...6.....6...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                                        Entropy (8bit):6.822499066467974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D2Cdc393WtyGWbjX6HRN7in9R9zrJRY0le5:D21JDrWS9zQ0l8
                                                                                                                                                                                                                                        MD5:A61FE4F1CF1323421CD72519E4526BC8
                                                                                                                                                                                                                                        SHA1:59A8697119DD4287022B2ED4C0513EA22F3BB29C
                                                                                                                                                                                                                                        SHA-256:0D8D708352C3B96D1AA193FFBD6F764A701EBFC979C700190494134E0E54F7B3
                                                                                                                                                                                                                                        SHA-512:6A565BE87005BEF075C7C6F0B13953794D52B861B5D40A74D3CCCA9A7813DE18195234827A83A4D38BFDB1CA64A712EA41A87A7A2A30023F45F624022A3DD4E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x............."!..0..............)... ........@.. ....................................`..................................)..K....@..h............... )...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H........ ..,...................P .........................................fSc.....3..PM@...P@...L^...+............p.....u[.h.@o`.s.....m..~..2...E...zM...$.tl.No...Da.R...|.......R2...I.........BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52896
                                                                                                                                                                                                                                        Entropy (8bit):6.684498329756475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ZZcxU+oWt5y4JSLFUA5JDHyFuc97Qk7Y32QttzX/XHXJREYcP+uLFClNP69zB:ZZN/iDALyFFQk7Y32OJPX7cP9piNuzB
                                                                                                                                                                                                                                        MD5:732613D07CF169180B7874BF3CA02EA8
                                                                                                                                                                                                                                        SHA1:0554B11B5E3C4A61823E9D7F74F71B0EA4A6678E
                                                                                                                                                                                                                                        SHA-256:6192CFA1614ECA1B992CFBA155FF9EF3D32C3A7F642912BBB502F0001DE246B5
                                                                                                                                                                                                                                        SHA-512:B60315B4C309A29C9E174A81464F528309155744FC170FD229A65ABEABAA1E035E2AFA7857D30BFD1586A80A1E15ED6807068C41154A32E3CD09E76BBE9ED93D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................\!...........(..........8...T...............................................................H............text.............................. ..`.data...&...........................@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...W.e.b...H.t.t.p.U.t.i.l.i.t.y.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.711582753143812
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DEVND8hxWVwo9W7YA6VFHRN7gD2R9zza+t1fY:D+u+2FClsK9zZ1fY
                                                                                                                                                                                                                                        MD5:31AC4E4AAED9264FA20A5E21B3393F7E
                                                                                                                                                                                                                                        SHA1:52A0AC2D9D0A5C099F6B490A3CED86CD5D04A446
                                                                                                                                                                                                                                        SHA-256:12EC2E14354B9F25143D4A6FE3DF9ABE0EAC379918B85BD7532D10C30E30423F
                                                                                                                                                                                                                                        SHA-512:EB15E6A6F18E89A8D4094C01FBAAC5DDB837794AB598D7D4176F98B8B0E0F0581D60FBBA8C97F0373E9817C89F8193A3E0C57BA88EC69F88F8A929A09879690F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............z*... ...@....... ..............................wQ....`.................................%*..O....@..8................)...`......X)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................Y*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....0.......#US.4.......#GUID...D...D...#Blob............T.........3....................................................6.Y.....Y...X.F...y.......................$...........o.......................V.....l.................>.......Y.................@.....@.....@...).@...1.@...9.@...A.@...I.@...Q.@...Y.@...a.@...i.@...q.@...y.@.....@. ...@.....@...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.684087527310445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ClyaMtLx2vJWE2SW3W+WxNzx95jmHnhWgN7acWNCmyttuX01k9z3AOV8sQR:GyaMtF0JWE2SWmFX6HRN7nnSR9zdV8hR
                                                                                                                                                                                                                                        MD5:D4DC0B9D603E0AC51FA099E12261E82D
                                                                                                                                                                                                                                        SHA1:C9D7877F32BA92F1D63F35999A9270CFDFBA6FCC
                                                                                                                                                                                                                                        SHA-256:5798AB51F67A1731E67A8A356763CB5C02BDA618DD575AED51DC6272096BB218
                                                                                                                                                                                                                                        SHA-512:0F2999E1522ECD1EA45FE0BD2C1484C4A3E11E91D7E728D1358E7F9A2FE3B1144302A2DACCFFB0F97185F80C6E7F54A959D550F806E154FFB9E7C0B408A4B95C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5E..........." ..0..............,... ...@....... ....................................`..................................+..O....@..X................)...`.......+..T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ..4....................*......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......@...#Blob............T.........3......................................................Q...&.Q.....>...q.......D.........m.....y.................P...................................4.............Q..... ...........8.....8.....8...).8...1.8...9.8...A.8...I.8...Q.8...Y.8...a.8...i.8...q.8...y.8.....8. ...8.....8...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16672
                                                                                                                                                                                                                                        Entropy (8bit):6.667070680792912
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BhMvUCh9W1Y4WOArWxNzx95jmHnhWgN7agWUmMfKUSIX01k9z3ARqK:AL9W1Y4WOAEX6HRN79mW2IR9zoH
                                                                                                                                                                                                                                        MD5:19645202783866DF23C6D8746CE1196A
                                                                                                                                                                                                                                        SHA1:6D8293BA6B41247BA090E3ACB3AD98F4267AF44C
                                                                                                                                                                                                                                        SHA-256:E7065641210FAB4636FCC3B117E4E15A584838E71A4D0B3835D6378C78937465
                                                                                                                                                                                                                                        SHA-512:00A5FC30B4DDE85306BDDC509FD539F4C7A17C2A032EF65F620697C158D0A11DF5F06CF0FD1A6886B88D8EF7EB53321CE18B9ADFC5B6EE248291C09BDA411EE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W..........." ..0..............,... ...@....... ....................................`..................................,..O....@..X............... )...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................(+......................................BSJB............v4.0.30319......l...l...#~......<...#Strings............#US.........#GUID...(.......#Blob............T.........3..........................................f...........+.....+.........K.......;.....z...d.....p.................G...................................+.......).....+.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22176
                                                                                                                                                                                                                                        Entropy (8bit):6.352093179803691
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:P125qkxK67ex4FCRunW1wAWEYA6VFHRN7JtHNsAR9zqo:NKLmAWFCl3ts89zL
                                                                                                                                                                                                                                        MD5:FB77B8FA47F57C039EC3202C86752842
                                                                                                                                                                                                                                        SHA1:22138F3686EB4AE26D4B6212EC91B1441F918AE0
                                                                                                                                                                                                                                        SHA-256:0B8B80E022A7A6F46E61CC434658AFC00F72631E4303AC5FA2237DBA99925098
                                                                                                                                                                                                                                        SHA-512:9685C0BECDEB79531BD37A40A4C1F7FB230706AD88AD25F3A1E930D59408DA370D050707B47D4BEC72E8C4598C080C2E01E415E94DCC8E14ADA3F4ACD9E545D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=............."!..0..$...........B... ........@.. ...............................J....`.................................LB..O....`...................(...........A..8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ........................................Qm=........B.*.c.)J.......f.....V.GQ@.[....ZY~.<L.>..9..?...`.........s.}c.....x....ujz.As7...{......~l..q....j..F>....r.BSJB............v4.0.30319......`.......#~......8...#Strings............#GUID...(.......#Blob......................3............................................................G..... .......b.....i...f.....-.........................................[...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.7385136944866995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+rKxzzhLW7MfEqHWqWxNzx95jmHnhWgN7aoW3zAcZQZfKUSIX01k9z3ARq7fG7yu:+ezdLW7MfEqHW5X6HRN7l2IR9zoqG9
                                                                                                                                                                                                                                        MD5:618450D16A5E2A9E8892A0A08748115B
                                                                                                                                                                                                                                        SHA1:F282DDC839FEE8E157C8F9453B2C447CF2292E5A
                                                                                                                                                                                                                                        SHA-256:84537A54CCA9AA87F0246E71E75A77124C90B4602A979C111368848FD975B591
                                                                                                                                                                                                                                        SHA-512:8AB0AC9D1BC47D5378B70D38D8EC86B08EB1CC0FE9A1167BA3DC16CE49F1CEBE47D410A59A9F2A60F699773D0D745625C348744B3114300D03B6E0F507E77757
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0..............-... ...@....... ..............................:^....`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l...x...#~..........#Strings............#US.........#GUID...........#Blob............T.........3..........................................p.........$.F.....F...r.....|.......<...............*...........]...........0.....M.....D.................s.....D.....x.F.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.768329397272433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RaxphW/vdWXpWjA6Kr4PFHnhWgN7agWacdhHssDX01k9z3AGWaEj:yphW/vdWXYA6VFHRN78dFDR9z7WPj
                                                                                                                                                                                                                                        MD5:D0EB97936EF83C560D6C32F8A01DD0B4
                                                                                                                                                                                                                                        SHA1:689484E237A3C1BF34DCBD30349EF026D25EB9E6
                                                                                                                                                                                                                                        SHA-256:E9E7AB3E5CE5993C393E1628A9390C3C676661FADD15B8AF18DF8F37D4E7F0D6
                                                                                                                                                                                                                                        SHA-512:C395BB74991B8C3F8590CF339920CF283A5887C8330B41FCB4C2AA958F25970CD67D037CFC5A20B291E8F088EF2580BBCB9AC641AA97A2E4DC965D6B4805DAC6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............"!..0..............+... ........@.. ..............................:.....`.................................L+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................g8xv...a..M..!....(G.1a........../}\.fl".SJ.tz...U.a.........=.e\..|.....^f.....afq.y.......c<Ff.=...W..?.<G6....OP.]..mBSJB............v4.0.30319......`.......#~..l.......#Strings............#GUID...,.......#Blob......................3................................................L...............................8.....L...p.L.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18192
                                                                                                                                                                                                                                        Entropy (8bit):6.651913199525005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MW0aeWJ4nTLVGQYA6VFHRN7NN/7R9zCMZ:3J4nPlFCljF9zL
                                                                                                                                                                                                                                        MD5:0059E13D67A0A703782F6761903F9993
                                                                                                                                                                                                                                        SHA1:F278429223A4993D3757465A5CDEB11679708C03
                                                                                                                                                                                                                                        SHA-256:186782FBF3EEE0E17A95D06769548771B62252BDC412BE8F83A582D091A8DBD6
                                                                                                                                                                                                                                        SHA-512:CDDBBBC503FA1C2D98C267CDC1A31ED052A8E5AE870924ECDE9408D044F571C9F701FE85E2DB7AEF5005B6B262F8BCBE08DF00D2E35BCAC25361987E362E6A3C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y{............" .........................................................P............`...@......@............... ......................................0...H........)...@......P...T...............................................................H............text............................... ..`.data...?....0......................@....reloc.......@......................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...N.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...X.m.l...X.P.a.t.h...X.D.o.c.u.m.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...^.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.724803734854889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J/lRiA8DrHDWBVvWrjcYA6VFHRN7cVXC4deR9zVjxqmt:PP804cFClcVXC4dC9zVjYK
                                                                                                                                                                                                                                        MD5:D8BD70EB45B4B115C2ED458D8A5E756A
                                                                                                                                                                                                                                        SHA1:1FE7563C6A18BE3D0E59FC0CDFF54495C5A15F42
                                                                                                                                                                                                                                        SHA-256:4FA30F4343142ABC37495DC2DF892A2B357C00C9FE5389B5E3D3566A888F75E2
                                                                                                                                                                                                                                        SHA-512:68233A9CD8C4524C57038569E6D6770E03B8A6DF95F31463753E4BA4834D3CE9FE87F458B27B282E4425CB453AB59287D03E0B5824075B5B477E3EE184095F2C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M............."!..0..............*... ........@.. ...............................h....`.................................|*..O....@..h................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................R].!.k..R....I..`?.sA%!....`.......d...!.]....R....^..8./.O..b...3....%_bf.P]..=.]I..3...._.p7q....C+V...#..o<....w7...+.n...?BSJB............v4.0.30319......`.......#~......\...#Strings....X.......#GUID...h.......#Blob......................3......................................'.........C...............................d...%.{...g.{.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.785986414151434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MVZNGfjiWeEsWRYA6VFHRN7EvQFcTR9z6TlLOH:6NGpbFClEvQeV9zalLOH
                                                                                                                                                                                                                                        MD5:E4C4592017D5132F245A622B8F40970E
                                                                                                                                                                                                                                        SHA1:EDDF6A290E9250B5B6668E00101F6F48D23A4D4A
                                                                                                                                                                                                                                        SHA-256:08C59884C4662F992985FBC992F196961BA9D8D3DC2CB3BF3E6E3602426B2F54
                                                                                                                                                                                                                                        SHA-512:46A12FAE6D250D3D8C75016B41FC6CBCE03512419D989B0F9C3206FDFA2CE4E68FA9A0B437ABDB7B17EAAA68841139EF0AFC50696B83D0FD49917B8B99F83AC9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............."!..0..............+... ........@.. ....................................`.................................|+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................e.X.]w...1......(.....Ra$.|.w.xHj)......;nN+.E..(..Q.'U2.a.Y........l..6...!.w(.....J..M.>....3.....\...j.#...?....1.(Z(;..tT.BSJB............v4.0.30319......`.......#~..\.......#Strings....H.......#GUID...X.......#Blob......................3......................................#.........P./...../.........O.............\...2.....g...................................p............./.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18208
                                                                                                                                                                                                                                        Entropy (8bit):6.62112689223517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JmiLgTJNTDxhkcWplvW5MWxNzx95jmHnhWgN7agW5wIAgfcMbnoQNpX01k9z3Abg:Yi8rdhbWplvW5TX6HRN7xI/7R9zCng
                                                                                                                                                                                                                                        MD5:AC8C00A6747DE5226C137D208C4F182B
                                                                                                                                                                                                                                        SHA1:215E2563CA1AE5FDD1DFABCDA2D4281451C37A03
                                                                                                                                                                                                                                        SHA-256:55F9EDDE671BB0B598826186B23DC864753770B65F7EBE53D3AC3D86512A1B3A
                                                                                                                                                                                                                                        SHA-512:31149C242D6E3CB429E9E3F84C4DE13782C82788D189217ABCFE9A058D7CEE871B8B682D49531D912F6F58DE325136BBA1C073FF1D3F5E14E56ADBFEA57E761C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.y..........."!..0..............3... ........@.. ...............................E....`..................................2..W....@.................. )...`...... 2..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........ ..P...................P ........................................{...m`.."n....v.......X....#h.V.c....^.U.d..n..5..-]...d......T......2|4A....G.6.....\;./.3.-.}.....,....06ph.QG..o..BSJB............v4.0.30319......`.......#~..(...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F...........N.....H.........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24736
                                                                                                                                                                                                                                        Entropy (8bit):6.196087974091141
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qV/Mc95qohA8bhUVGdOQgWKwjsWlYA6VFHRN721DX+iR9zZjES:qV0chOkrFCl+DuO9z9ES
                                                                                                                                                                                                                                        MD5:FD9D85F47840B07B63FAC3C7B1A67ACF
                                                                                                                                                                                                                                        SHA1:09B9728960F9A81B3D67B3F1D9E6E19C0247014E
                                                                                                                                                                                                                                        SHA-256:D563E81C9FEEEF2C1E30A1DB45C95A3CE2A1BC18693CE30289E466D6E1ABC9D2
                                                                                                                                                                                                                                        SHA-512:FA1F20E27EA6A51EEDE46C418792790925E16CC752155B72412312A4A14DEDFCCF1F032C42A7A17B298B8DA5B6FE98DCCC43C062C41C4786EBEC01340FDF12D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............L... ...`....... ....................................`..................................K..O....`..8............8...(...........J..T............................................ ............... ..H............text....,... ...................... ..`.rsrc...8....`.......0..............@..@.reloc...............6..............@..B.................K......H.......P ...*..................lJ......................................BSJB............v4.0.30319......l...@...#~..........#Strings....L'......#US.P'......#GUID...`'......#Blob............T.........3..........................................P............... .................k.....H...........S.................G...................................+.....m.S...0...................x.....x.....x...).x...1.x...9.x...A.x...I.x...Q.x...Y.x...a.x...i.x...q.x...y.x.....x. ...x.....x...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50960
                                                                                                                                                                                                                                        Entropy (8bit):5.747090092923577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:eQuoy1c6A2ZX8TRNH5JVbOd502zq1TntVBFFClwl9zx:eQuoO3ZX8Q5jzC3BTiw3zx
                                                                                                                                                                                                                                        MD5:C4B42F4015DB97630DAC03F6B12EA124
                                                                                                                                                                                                                                        SHA1:C1ECEAE6CB9C4F6E39F4F582052E3824DB2A5323
                                                                                                                                                                                                                                        SHA-256:A0CAE7A8FF1A44A04215B2FEE19D73B6D9351A7DCEAF17E25D8DC72E5D0A5D60
                                                                                                                                                                                                                                        SHA-512:C75AC92E9F72D016BEDC60AB2FD49C3E21C4C8AE44665FA80613AEEF1A669191F1182EBBEAEF9EDA76A77980930BAE4E5DF238D9CE47689AF781092C298D6CD1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../&K..........." ..0.................. ........... ....................................`.....................................O........................).............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                                        Entropy (8bit):6.687937690598966
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vpmduasEWQ+E9ZRWVEcWWUYA6VFHRN7rpR9z+ptz/nk:v0dJnP8UFClrD9zWZ/k
                                                                                                                                                                                                                                        MD5:843DB412D5B8F71F10EDD73561B4804B
                                                                                                                                                                                                                                        SHA1:C33B33AD7A29C9E981A049B1DA3E6A793F5CE034
                                                                                                                                                                                                                                        SHA-256:AF02BFB85E43E968B8095065809715D40039841AA1CAAACFEACB9A303C35F93A
                                                                                                                                                                                                                                        SHA-512:AADD18D36BAF1D40309B2B3D128D770AEC298A7F0498C17D5BEFB85ACD32650547D2FB6CA58134221A335DFADBFE1C4B925C14A65A2D971E8F58442EE59013ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............../... ...@....... ..............................c.....`.....................................O....@..8................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p-......................................BSJB............v4.0.30319......l.......#~..$.......#Strings............#US.........#GUID.......D...#Blob............T.........3..........................................f.........3.................'.....0.......v.....................l...........I.....f.....S.............i.....i................. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.459775574843526
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SOQWvhW/WYnO/VWQ4SWc0NsxZAqnajT9CJIC:SjWvhWvUsNs/Al39AL
                                                                                                                                                                                                                                        MD5:681C84FB102B5761477D8DA2D68CD834
                                                                                                                                                                                                                                        SHA1:FD96CF075A956FBC2B74E1ECC3E7958163B58832
                                                                                                                                                                                                                                        SHA-256:F0F7CB2A9FFCCB43400DB88D6BF99F2FCC3161DE1AC96C48501D4D522C48C2CA
                                                                                                                                                                                                                                        SHA-512:C41A62F8D10290215B8A7F0DDCC27A1CF12A7453C2DAABEF75BD2CE87C4FFC87D74EDC8CAA1771BEDA0BFA26249CFE3C94D4AF50B22A5DECB6D282BD8A2C4BDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.499619700582879
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:L6WvhWFWYnO/VWQ4SWssAtkqnaj6M07i5CK:+WvhW1UslWMui57
                                                                                                                                                                                                                                        MD5:039D612693E56CCF32AE81C99443EA77
                                                                                                                                                                                                                                        SHA1:0487AA5E7D283A8840F3005D1E24E8C9ED140974
                                                                                                                                                                                                                                        SHA-256:4E978EE035B72032D0B7693E09EED6E112DCED6965780BC3E6B8E024EA2366AB
                                                                                                                                                                                                                                        SHA-512:FFA56C73E977FFCEF7890AB6C3EC52E9827AF28B0552F11C48BB7CA16D37C2B7069FB7E03CEFB89F8679E3755BCC8C47344D0D9B91416C6D92CA7DB28C20240A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@...........`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20952
                                                                                                                                                                                                                                        Entropy (8bit):4.308560743366262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1WvhW/WYnO/VWQ4yWxK2fvXqnajeCqN+6:1WvhWvU8XlX0
                                                                                                                                                                                                                                        MD5:2A8065DC6E6E60FB90B4B3F9E6BA7288
                                                                                                                                                                                                                                        SHA1:400A1F44CD4354DEA0117E79EC04B006D6141B36
                                                                                                                                                                                                                                        SHA-256:55E5F10D0DD9C85FF1C6DC7798E46B3A4422FB7EBC583BB00D06A7DF2494397B
                                                                                                                                                                                                                                        SHA-512:787E033E35AA357263639D97FDFE8A2EBC9F17865579BE13C14C0A4C2ED99432ED8EA79C5046D1B4B783BF5FCF7B713EFDD70FCA8445A7AFCB91CFDDC7F9D442
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@.......,....`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.314779945585029
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JWvhWiWYnO/VWQ4mWAyTIl1PXEKup3JdqnajKsztG2:JWvhWYUQI/PX7aJdlGsztG2
                                                                                                                                                                                                                                        MD5:720DB2235C4193151FF8987F8A729135
                                                                                                                                                                                                                                        SHA1:038648798892203B506AB4664BAECA25F78BC43C
                                                                                                                                                                                                                                        SHA-256:092B72832C47F9C4EDCDE61F1A111C20EB73452984E0A6109482DE74EB03C34D
                                                                                                                                                                                                                                        SHA-512:CAAC89DC4FE10E7752B6F248623B34A47A77A750E62F0A558C760A8AD672D980AFC966A9E5696BA5C916E722FD221D305C4D2C49D5DDA0E4A768855886D4F3CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.363620943088422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9m7xeiImxD3exWvhW5WWYnO/VWQ4mWACJXEKup3JdqnajKsztJ30:9m7xeiIFxWvhWuUkX7aJdlGsztd0
                                                                                                                                                                                                                                        MD5:ECDD006AAE56427C3555740F1ABFA8D6
                                                                                                                                                                                                                                        SHA1:7DFAB7AD873544F627B42C7C4981A8700A250BD4
                                                                                                                                                                                                                                        SHA-256:13BC8B3F90DA149030897B8F9F08D71E5D1561E3AE604472A82F58DAB2B103F9
                                                                                                                                                                                                                                        SHA-512:A9B37E36F844796A0FE53A60684BE51AB4013750BB0B8460C261D25FA5F3DE6CE3380044DDC71116825D130A724DF4BA351C2CFFCBF497EF1B6C443545E83F1C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......v.........." .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-fibers-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.2939305898439235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8gWvhWliWYnO/VWQ4mWCkJZH2vArqnajKsbTYjtZ:NWvhWlYUDuH24rlGsbTY5Z
                                                                                                                                                                                                                                        MD5:EB065ED1B5CABDBB90E2403B8564778F
                                                                                                                                                                                                                                        SHA1:5B511215EE0E347734FB727FAD6A0A959FF81BF1
                                                                                                                                                                                                                                        SHA-256:BB2D740333AFAEA2A73A163F95FA102D018CCD68DEF28B6815A2BE0696AB57DB
                                                                                                                                                                                                                                        SHA-512:E5FF38F28253FB31BF583131E23EF58AF60020AD1FB329986C8789FE351F4B73CB06109FBC4220678D93191B04DB353466F728534AA1FEBEDF150C491B8E7C65
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....cc.........." .........0...............................................@.......o....`A........................................p................0...............0...!..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25048
                                                                                                                                                                                                                                        Entropy (8bit):4.628757275210407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1mtaNYPvVX8rFTsvWvhWmWYnO/VWQ4yW9AfvXqnajeCqKW:8PvVXhWvhWMU7XlX7W
                                                                                                                                                                                                                                        MD5:36277B52C64CC66216751AAD135528F9
                                                                                                                                                                                                                                        SHA1:F2A6740BA149A83E4E58E1E331429FA3EB44FBA0
                                                                                                                                                                                                                                        SHA-256:F353B6C2DF7AADB457263A02BCE59C44BBAB55F98AE6509674CFBC3751F761B9
                                                                                                                                                                                                                                        SHA-512:BE729194A0A3C4D70A6FFA8DE5C7F8BB3DDA1F54772F9AEFF4B9AA1D6756720D149613C5DCB911286B6C0181A264A4A2A8A4EB848C09AC30BA60B6FD10DD64C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.328858083322922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IAIEWvhWLIQWYnO/VWQ4eWletp80Hy5qnajsBk9:I5EWvhWLI+UJpslE8
                                                                                                                                                                                                                                        MD5:D92E6A007FC22A1E218552EBFB65DA93
                                                                                                                                                                                                                                        SHA1:3C9909332E94F7B7386664A90F52730F4027A75A
                                                                                                                                                                                                                                        SHA-256:03BD3217EAE0EF68521B39556E7491292DB540F615DA873DD8DA538693B81862
                                                                                                                                                                                                                                        SHA-512:B8B0E6052E68C08E558E72C168E4FF318B1907C4DC5FC1CD1104F5CAE7CC418293013DABBB30C835A5C35A456E1CB22CC352B7AE40F82B9B7311BB7419D854C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......p.....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.41968362445382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
                                                                                                                                                                                                                                        MD5:50ABF0A7EE67F00F247BADA185A7661C
                                                                                                                                                                                                                                        SHA1:0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
                                                                                                                                                                                                                                        SHA-256:F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
                                                                                                                                                                                                                                        SHA-512:C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.329081455517674
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZfWvhWPWYnO/VWQ4SWR7me4qdsxZAqnajT9CRixc:ZfWvhW/UNezs/Al39wiO
                                                                                                                                                                                                                                        MD5:3039A2F694D26E754F77AECFFDA9ACE4
                                                                                                                                                                                                                                        SHA1:4F240C6133D491A4979D90AFA46C11608372917F
                                                                                                                                                                                                                                        SHA-256:625667EA50B2BD0BAE1D6EB3C7E732E9E3A0DEA21B2F9EAC3A94C71C5E57F537
                                                                                                                                                                                                                                        SHA-512:D2C2A38F3E779AC84593772E11AE70FC8BCFD805903E6010FE37D400B98E37746D4D00555233D36529C53DD80B1DF923714530853A69AA695A493EC548D24598
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@......=.....`A........................................p...`............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.447714045651854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:gxlAWvhW5EWYnO/VWQ4SWArSZBUuUgxfzfqnajmGYjB:gxlAWvhW5yUbSsIrlStjB
                                                                                                                                                                                                                                        MD5:2EDC82C3DA339A4A138B4E84DC11E580
                                                                                                                                                                                                                                        SHA1:E88F876C9E36D890398630E1B30878AF92DF5B59
                                                                                                                                                                                                                                        SHA-256:E36B72EAFFFFFB09B3F3A615678A72D561B9469A09F3B4891ABA9D809DA937A5
                                                                                                                                                                                                                                        SHA-512:6C1B195B2FABE4D233724133AE3BDF883F287B5ECD9639A838AD558159A07E307E7AE5E5407CE9229DCCDE4BE2CC39EC59506A5FB73B45D04B80330B55E2B85C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...)\Ix.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.368970650031484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ODWvhWJWYnO/VWQ4mWbAcH2vArqnajKsbTY3:ODWvhWJUrcH24rlGsbTY3
                                                                                                                                                                                                                                        MD5:215E3FA11BE60FEAAE8BD5883C8582F3
                                                                                                                                                                                                                                        SHA1:F5BF8B29FA5C7C177DFEC0DE68927077E160C9AB
                                                                                                                                                                                                                                        SHA-256:FBB9032835D0D564F2F53BBC4192F8A732131B8A89F52F5EF3FF0DAA2F71465F
                                                                                                                                                                                                                                        SHA-512:C555698F9641AF74B4C5BB4CA6385B8D69D5A3D5D48504E42B0C0EB8F65990C96093687BC7EE818AA9C24432247AFAD7DF3BF086010A2EFCD3A1010B2FCD6A31
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......5.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.601897142725442
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pTvuBL3BBLxWvhWcWYnO/VWQ4mW74j21EhqnajKsxX+:pTvuBL3BXWvhWKUBqslGsxu
                                                                                                                                                                                                                                        MD5:9A8AB7FE8C4CC7604DFF1FBFA57458AA
                                                                                                                                                                                                                                        SHA1:68ED7B6B5191F53B50D6A1A13513DB780AB19211
                                                                                                                                                                                                                                        SHA-256:E9A3D7F8A08AB5BC94ACB1EC1BFFDA90469FEC3B7EECDF7CF5408F3E3682D527
                                                                                                                                                                                                                                        SHA-512:05DAEABBCDE867E63FDE952213FFF42AF05E70AE72643C97060A90DCEA2A88B75947B6F503CB2C33938AFE36AD1BAFBA5008C1BBE839F6498CDA27DA549DAEE9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):5.116096564588074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6naOMw3zdp3bwjGzue9/0jCRrndbDWvhWfUCBoliM:POMwBprwjGzue9/0jCRrndbwIJY
                                                                                                                                                                                                                                        MD5:DE5695F26A0BCB54F59A8BC3F9A4ECEF
                                                                                                                                                                                                                                        SHA1:99C32595F3EDC2C58BDB138C3384194831E901D6
                                                                                                                                                                                                                                        SHA-256:E9539FCE90AD8BE582B25AB2D5645772C2A5FB195E602ECDBF12B980656E436A
                                                                                                                                                                                                                                        SHA-512:DF635D5D51CDEA24885AE9F0406F317DDCF04ECB6BFA26579BB2E256C457057607844DED4B52FF1F5CA25ABE29D1EB2B20F1709CF19035D3829F36BBE31F550F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.483681194749599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WqfWvhWoWYnO/VWQ4mWKNe4XEKup3JdqnajKsztPO/B:WGWvhWWU9X7aJdlGsztP2
                                                                                                                                                                                                                                        MD5:7DDDA921E16582B138A9E7DE445782A0
                                                                                                                                                                                                                                        SHA1:9B2D0080EDA4BA86A69B2C797D2AFC26B500B2D3
                                                                                                                                                                                                                                        SHA-256:EF77B3E4FDFF944F92908B6FEB9256A902588F0CF1C19EB9BF063BB6542ABFFF
                                                                                                                                                                                                                                        SHA-512:C2F4A5505F8D35FBDD7B2ECA641B9ECFCB31FE410B64FDE990D57B1F8FD932DFF3754D9E38F87DB51A75E49536B4B6263D8390C7F0A5E95556592F2726B2E418
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@.......:....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.417647805455514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RWvhW0WYnO/VWQ4SWKeE+Ztc80Hy5qnajsBkUqS:RWvhWiUxslE5qS
                                                                                                                                                                                                                                        MD5:BF622378D051DB49BDC62ACA9DDF6451
                                                                                                                                                                                                                                        SHA1:EFD8445656A0688E5A8F20243C2419984BB7743E
                                                                                                                                                                                                                                        SHA-256:0BFEDB0D28E41E70BF9E4DA11E83F3A94C2191B5CD5DD45D9E9D439673B830CE
                                                                                                                                                                                                                                        SHA-512:DF32D34C81FDE6EEF83A613CE4F153A7945EECFB1EC936AC6ED674654A4E167EC5E5436185B8064177F5F9273D387CA226C3C9529591180250A9C5C581EC6F70
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6126507489483375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qF3qWvhWQWYnO/VWQ4SWL7JJsxZAqnajT9CgsLam:qF6WvhW+UA7s/Al39wR
                                                                                                                                                                                                                                        MD5:A56E3E2AA6398CCB355C7CDE81CCB6E5
                                                                                                                                                                                                                                        SHA1:A26273DD41DB7B63D3A79ACF6F4F3CF0381A8F02
                                                                                                                                                                                                                                        SHA-256:25AF1BC31C4A3FB9F1036C9AA51CB0AE8899C499B3EEF4CF7281515C1EA27B47
                                                                                                                                                                                                                                        SHA-512:3D5CEC9E5B42724794282974F637B1FDA8C26ADF01ED19DD2EC4F940E01CD43BDC42E46DC3E62704E62553DE96D3FEA1616C9650AF73CDB557DFCA1B52051A64
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.978924663768967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hck1JzNcKSIGqAWvhWTUpDX7aJdlGsztMs:3cKSswKz7aJGps
                                                                                                                                                                                                                                        MD5:82159E8D92E38C4F287EB9420DCF1F9F
                                                                                                                                                                                                                                        SHA1:2E4436DBE18D943416A388777D05BFE5CB553DE7
                                                                                                                                                                                                                                        SHA-256:0D22CE9D987EFD6886A8DE66A6A678C287D29B15963B4373F73D79DDE42C9827
                                                                                                                                                                                                                                        SHA-512:DCEF1E0C7916C8CD08148962949A996FFC5D46B899CD82DFBCD9BB1BC614622BC8997F1E7D3C4E3D75F2DF07540A4C17F39477CFE97BA7F0BD280CDD52E06F91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......Y.........." .........0...............................................@.......K....`A........................................p................0...............0...!..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.513848472591714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pwQpUwzDfIeOWvhW9WYnO/VWQ4+WWXtplsxZAqnajT9CGl:pZDfIeOWvhWNUFbls/Al39Hl
                                                                                                                                                                                                                                        MD5:74C264CFFC09D183FCB1555B16EA7E4B
                                                                                                                                                                                                                                        SHA1:0B5B08CDF6E749B48254AC811CA09BA95473D47C
                                                                                                                                                                                                                                        SHA-256:A8E2FC077D9A7D2FAA85E1E6833047C90B22C6086487B98FC0E6A86B7BF8BF09
                                                                                                                                                                                                                                        SHA-512:285AFBCC39717510CED2ED096D9F77FC438268ECAA59CFF3CF167FCC538E90C73C67652046B0EE379E0507D6E346AF79D43C51A571C6DD66034F9385A73D00D1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.293598211920456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dWvhW/WYnO/VWQ4SWYujPUsxZAqnajT9Cl36:dWvhWvUgMs/Al39Eq
                                                                                                                                                                                                                                        MD5:D6F37B232E3F2E944EBCF53A662E852F
                                                                                                                                                                                                                                        SHA1:C10839E941444ED79C2314F90DA34E5742F4E514
                                                                                                                                                                                                                                        SHA-256:5E6AD9502C8411F29BC072EFD08C4FCD09BC3367814269DEDA74A78536FB8375
                                                                                                                                                                                                                                        SHA-512:6E0CF1021EF3FF31895D2B6A9E72084EBE52DE4201D317B12FB8B05A7B1946FDEF65D2B046F8FB25189D3A94F70726121F2E8EAC8239C00EE02EF5EAF57F21C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.469567491280211
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aGeVTg6WvhWGWYnO/VWQ4SWupBd80Hy5qnajsBkt2NjY:aGeVTg6WvhWsUldslE8+Y
                                                                                                                                                                                                                                        MD5:6397D5CC116D884D31552F613F748556
                                                                                                                                                                                                                                        SHA1:B76B19FE4D3D5D26D2DEE1983D384E26D961180E
                                                                                                                                                                                                                                        SHA-256:40EB38D84DFD13C8A58211B8273C4B4965148742F08EB6FE8B0830392C37ABC1
                                                                                                                                                                                                                                        SHA-512:4449DA9BAA3F722EB274AC527125F5918A17BC94B243849A0A44F3463E35F368339A58A6AA1E08B83D54D13538C0D52BFCB452A48B8B9A52961BF136256D220E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@.......T....`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.375396134710155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:v0yyMvJWvhW4WYnO/VWQ4SWQwwV80Hy5qnajsBkrfFIf:zyMvJWvhWmUAIslEAfFI
                                                                                                                                                                                                                                        MD5:D2D7458AB838E738B54FB4D6FA490BF6
                                                                                                                                                                                                                                        SHA1:0CFC5659B23A35C987B96CABBC0D10325316385D
                                                                                                                                                                                                                                        SHA-256:285A481D7BA9859CC28BEDEDD8F05A90BD648A34D66B8C797118920B40E15E4E
                                                                                                                                                                                                                                        SHA-512:62E0ABB2E59D360D6A066E73289AA1B880E7C1A0B7E6C695F40B1E0F2CB11DEB9E54DEBA4045D2454B911AF109EC198F11073874A8F023EB1B71A16A74354A1E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.889960536352825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lQMwidv3V0dfpkXc0vVaLnWvhWTULrX7aJdlGsztzO1:xHdv3VqpkXc0vVagQ2L7aJGqO1
                                                                                                                                                                                                                                        MD5:255B18FE8AB465C87FB8AD20D9A63AAC
                                                                                                                                                                                                                                        SHA1:645823B0332ADDABA5E4EF40D421B2DA432FDA5E
                                                                                                                                                                                                                                        SHA-256:E050E1BFBB75A278412380C912266225C3DEE15031468DAE2F6B77FF0617AA91
                                                                                                                                                                                                                                        SHA-512:19244B084AC811B89E0E6A77F9308D20CF4FBB77621D34EEDC19FCD5C8775A33B2D9ADA3F408CBE5806C39745B30C1C1CC25D724DB9377B437D771AE0BF440B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......Re....`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.557349562243787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ctZ3ZtIWvhW9NWYnO/VWQ4SWndusxZAqnajT9CMCz4:ctZ3wWvhW9dUds/Al39pCz4
                                                                                                                                                                                                                                        MD5:0A2432A420640A79FAAFF044AB054EF6
                                                                                                                                                                                                                                        SHA1:15688BF3C9330309EC5EA602C0AD5AF1FD68BC30
                                                                                                                                                                                                                                        SHA-256:9DFD114E4182662A669A3B9054DD2A24D96DD66ED96A8B2AC05601928B2084D5
                                                                                                                                                                                                                                        SHA-512:090D6D5046AEFE9006B319FC3F9740426BC93E50CF262CE65857449891CA69D2A235421CFEA3FB178D3F8B1E3F640B8678AA9D8F6E67B8A17985913BEBFB3FDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.617444368323971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UgdKIMFemVWvhWNWYnO/VWQ4mWY1tcQIj21EhqnajKsxN:JH0WvhWdUDIqslGsxN
                                                                                                                                                                                                                                        MD5:E1A7B1F8CDB24324D0E44B0078DB8BD1
                                                                                                                                                                                                                                        SHA1:B6C2FE32AE5FA1398F7AE6245C405378E32A7897
                                                                                                                                                                                                                                        SHA-256:45D4F1E398E4CC73FD1AAAD80219D2A9D3205A228167C819EB6787D7B01FC186
                                                                                                                                                                                                                                        SHA-512:144AFE1CB812DE93FBDD08658AFEB4C95480A8E504C5DCF909FF226400CA2D0F48395CF71954FBD1B3DD93A49CBA39EC0DB3FC34A05804C93FD9A48B0A1749CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@.......A....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.549935038939539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+cWvhWoWYnO/VWQ4mWRhXEKup3JdqnajKsztzy:+cWvhWWUqX7aJdlGsztzy
                                                                                                                                                                                                                                        MD5:CB39EEA2EF9ED3674C597D5F0667B5B4
                                                                                                                                                                                                                                        SHA1:C133DC6416B3346FA5B0F449D7CC6F7DBF580432
                                                                                                                                                                                                                                        SHA-256:1627B921934053F1F7D2A19948AEE06FAC5DB8EE8D4182E6F071718D0681F235
                                                                                                                                                                                                                                        SHA-512:2C65014DC045A2C1E5F52F3FEA4967D2169E4A78D41FE56617CE9A4D5B30EBF25043112917FF3D7D152744DDEF70475937AE0A7F96785F97DCEFAFE8E6F14D9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.319450964936577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MPWvhWRWYnO/VWQ4SWiIsxZAqnajT9CDH:yWvhWRUCs/Al39OH
                                                                                                                                                                                                                                        MD5:5B6C46F42ED6800C54EEB9D12156CE1F
                                                                                                                                                                                                                                        SHA1:66CE7A59B82702875D3E7F5B7CF8054D75FF495F
                                                                                                                                                                                                                                        SHA-256:2631CADCE7F97B9A9E6DF4E88F00F5A43EF73B070EE024ED71F0B447A387FF2F
                                                                                                                                                                                                                                        SHA-512:38FF6745BB5597A871B67AA53FCC8426BC2CDD16B6497A0EB7B59C21D8716F1ABB1F7C7A40A121AD1BD67B5490FEF5CF82EE8FD0BF848F27DCA27FC5D25DEC61
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6478341719136145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:y0WvhW3WYnO/VWQ4mW8iTH2vArqnajKsbTYk:FWvhWnUIH24rlGsbTYk
                                                                                                                                                                                                                                        MD5:A68D15CAB300774D2A20A986EE57F9F4
                                                                                                                                                                                                                                        SHA1:BB69665B3C8714D935EE63791181491B819795CB
                                                                                                                                                                                                                                        SHA-256:966DDBF59E1D6C2A80B8ABBF4A30D37475DE097BF13FB72BA78684D65975CD97
                                                                                                                                                                                                                                        SHA-512:AC040F92560631CA5162C7559173BDFE858E282225967AB1ADC0A038D34943B00DB140D44319CD2CDC2864295A098AB0BA634DFAA443E1D1782FA143AE4C217D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......5.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25056
                                                                                                                                                                                                                                        Entropy (8bit):4.647238720605179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3jQ/w8u4cy1WvhWb9WYnO/VWQ4SWANsAlosytkqnaj6Md:fy1WvhWhUNsilWMd
                                                                                                                                                                                                                                        MD5:0E35E369165875D3A593D68324E2B162
                                                                                                                                                                                                                                        SHA1:6A1FF3405277250A892B79FAED01DCDC9DBF864A
                                                                                                                                                                                                                                        SHA-256:14694879F9C3C52FBD7DDE96BF5D67B9768B067C80D5567BE55B37262E9DBD54
                                                                                                                                                                                                                                        SHA-512:D496F0C38300D0EED62B26A59C57463A1444A0C77A75C463014C5791371DECA93D1D5DD0090E8E324C6A09BD9CFF328F94947272CA49018C191C12732E805EE8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....A............" .........@...............................................P......4.....`A........................................P................@...............@...!..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.454858890873412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PLGju+OXWvhW+eWYnO/VWQ4mWPiNbj21EhqnajKsxy:PLGjuJWvhWFUztqslGsxy
                                                                                                                                                                                                                                        MD5:DACF383A06480CA5AB70D7156AECAB43
                                                                                                                                                                                                                                        SHA1:9E48D096C2E81A7D979F3C6B94315671157206A1
                                                                                                                                                                                                                                        SHA-256:00F84C438AAB40500A2F2DF22C7A4EC147A50509C8D0CDAC6A83E4269E387478
                                                                                                                                                                                                                                        SHA-512:5D4146A669DDB963CF677257EC7865E2CFCB7960E41A38BBD60F9A7017474ED2F3291505FA407E25881CBF9E5E6B8055FF3BD891043284A0A04E3FE9CFAD9817
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......w.....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.950541424159939
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RSnWlC0i5CtWvhWJKWYnO/VWQ4SWuMasxZAqnajT9CQMDt:RSnWm5CtWvhWWUyas/Al39ODt
                                                                                                                                                                                                                                        MD5:D725D87A331E3073BF289D4EC85BD04D
                                                                                                                                                                                                                                        SHA1:C9D36103BE794A802957D0A8243B066FA22F2E43
                                                                                                                                                                                                                                        SHA-256:30BCF934CBCC9ED72FF364B6E352A70A9E2AFA46ECEADEA5C47183CB46CFD16E
                                                                                                                                                                                                                                        SHA-512:6713FF954221C5DD835C15556E5FA6B8684FA7E19CE4F527A5892E77F322B3DAE7199A232040B89AD4A9575C8D9788D771892D2294F3C18DA45E643EB25FDB08
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.591111522505104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PUFY17aFBRIWvhWrWYnO/VWQ4mWCJH2vArqnajKsbTYxj:8Q1WvhWLUrH24rlGsbTY5
                                                                                                                                                                                                                                        MD5:9151E83B4FDFA88353B7A97AE7792678
                                                                                                                                                                                                                                        SHA1:B46152E70D5D3D75D61D4CCDB50403BD08BB9354
                                                                                                                                                                                                                                        SHA-256:6C0E0D22B65329F4948FCF36C8048A54CCCCBF6C05B330B2C1A686F3E686EED0
                                                                                                                                                                                                                                        SHA-512:4D4210474957E656D821E1DC5934A4BFBF7E73DD61D696A1AB39914F887810C8FBE500DBB1E23782B40807F25820F35C9665E04DCDC2FD0F6C83046A4AECB86B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.54281367075804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:g8yWvhWVWYnO/VWQ4mWWeUDj21EhqnajKsxRIM9:gtWvhWFUtDqslGsxRIG
                                                                                                                                                                                                                                        MD5:EBC168D7D3EA7C6192935359B6327627
                                                                                                                                                                                                                                        SHA1:AECEB7C071CF1BB000758B6CEEBEFEEC91AD22BD
                                                                                                                                                                                                                                        SHA-256:C048A3D7AB951DCE1D6D3F5F497B50353F640A1787C6C65677A13C55C8E99983
                                                                                                                                                                                                                                        SHA-512:891D252ECD50BDED4614547758D5E301BDF8E71FBB1023FF89F8DE2F81927CC7CC84B98985D99E8FA8DCBF361E5117D9C625DC0D36983AFC3F2AA48A54CE3D48
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....h\..........." .........0...............................................@......}.....`A........................................P...e............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29144
                                                                                                                                                                                                                                        Entropy (8bit):4.946641263598223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MQM4Oe59Ckb1hgmLJWvhWdUN8HOhlxAnY:rMq59Bb1jeanOunY
                                                                                                                                                                                                                                        MD5:7A235962DBAB1E807C6EC7609FC76077
                                                                                                                                                                                                                                        SHA1:148DDD11A0D366313F75871007057B3F0485AB33
                                                                                                                                                                                                                                        SHA-256:F7C5D7394643C95FE14C07773A8A206E74A28DB125F9B3976F9E1C8C599F2AF1
                                                                                                                                                                                                                                        SHA-512:25B21EE7BB333E5E34D2B4A32D631A50B8FFAF1F1320D47C97C2A4DFF59FA2A2703CDF30638B46C800D3150EFAA4A2518C55E7B2A3B2E4273F43DD5CA83AE940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`............`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29136
                                                                                                                                                                                                                                        Entropy (8bit):4.764408242494898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VA/kPLPmIHJI6/CpG3t2G3t4odXLJWvhWSUwlmX7aJdlGszti:y/kjPmIHJI6AFc7aJGT
                                                                                                                                                                                                                                        MD5:B3B4A0F3FCE120318E71DE3AFB6BB1AA
                                                                                                                                                                                                                                        SHA1:D3349409EC717F942769BA67FECA40557C1423D0
                                                                                                                                                                                                                                        SHA-256:A38E6786DC8EC6D2717343DBE00BB2FDDA008D87935BBD9371AE94E7E004270B
                                                                                                                                                                                                                                        SHA-512:4A130674DDBB05949665F6F7A070B25E82C34047D1E62EC60C73F815CED39A9041D972BE4E8C505F9B13C5BCDC114F3479BF8D69D7D9CF9987D39A6F5DB7F560
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):74192
                                                                                                                                                                                                                                        Entropy (8bit):5.1227875842071615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjPgB/P5W:baHgDe5c4bFe2JyhcvxXWpD7d3334Bkb
                                                                                                                                                                                                                                        MD5:7033AB91EA4F0593E4D6009D549E560F
                                                                                                                                                                                                                                        SHA1:4951CE111CA56994D007A9714A78CDADEEB0DACF
                                                                                                                                                                                                                                        SHA-256:BE7901AA1FACEA8E1FD74A62BDE54CC3BD8E898B52E76FABB70342B160989B80
                                                                                                                                                                                                                                        SHA-512:8BC3B880E31EBE3BC438A24D2AF249C95E320AC3C7A501027EF634F55AAB6FAC4F6D1090A00C29A44657A34EBADCD62023F2E947D31C192072698B645F8651ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................e.....`A........................................P....................................!..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.608840616484201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:4adyqjd7VWvhWpWYnO/VWQ4mWB8nXEKup3JdqnajKszt0CkD:4aQ0WvhWpUnX7aJdlGszt0r
                                                                                                                                                                                                                                        MD5:55463244172161B76546DC2DE37F42BD
                                                                                                                                                                                                                                        SHA1:C10A5360AD5E340D59C814E159EA1EFCBF5BF3EE
                                                                                                                                                                                                                                        SHA-256:4166A32551989F960DAC7C0E296FFB28092F45F6539E7C450FA04BF17612BE73
                                                                                                                                                                                                                                        SHA-512:EACEC78FF95F60DEF6F7F27BDA4A84F1DD2DFA386EFC4F6DA770C37268DF83C5B402693EA5C29F54D48026579F3843DB26ADD4D6448EA10CBF7F14D4D14A72FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w>..........." .........0...............................................@......M.....`A........................................P...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):4.795732177662406
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oHUW9MPrpJhhf4AN5/KiZWvhWMWYnO/VWQ4mWLz8Y5H2vArqnajKsbTYCkI:oHUZr7PWvhW6UeH24rlGsbTYCx
                                                                                                                                                                                                                                        MD5:27C4A3BCC0F1DBA2DE4C2242CD489F3B
                                                                                                                                                                                                                                        SHA1:A704FD91E3C67108B1F02FD5E9F1223C7154A9CC
                                                                                                                                                                                                                                        SHA-256:315DED39D9E157CEC05D83711C09858C23602857C9D8C88BEEF121C24C43BE84
                                                                                                                                                                                                                                        SHA-512:793E74DFB1052C06AB4C29E7B622C795CC3122A722382B103940B94E9DAC1E6CA8039DF48C558EFCC5D952A0660393AE2B11CED5ADE4DC8D5DD31A9F5BB9F807
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.082770273323341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DA2uWYFxEpahrWvhW/nWYnO/VWQ4mWSmRkH2vArqnajKsbTYMlBzK:DIFVhrWvhWfUERkH24rlGsbTYx
                                                                                                                                                                                                                                        MD5:306608A878089CB38602AF693BA0485B
                                                                                                                                                                                                                                        SHA1:59753556F471C5BF1DFEF46806CB02CF87590C5C
                                                                                                                                                                                                                                        SHA-256:3B59A50457F6B6EAA6D35E42722D4562E88BCD716BAE113BE1271EAD0FEB7AF3
                                                                                                                                                                                                                                        SHA-512:21B626E619AAF4EDA861A9C5EDF02133C63ADC9E893F38FEDE72D90A6E8BE0E566C117A8A24CA4BAB77928083AE4A859034417B035E8553CC7CCFB88CB4CBD9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......'l....`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.075489018611419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:dozmT5yguNvZ5VQgx3SbwA71IkFPaPA6XHPe:dozmT5yguNvZ5VQgx3SbwA71IAaP7XH2
                                                                                                                                                                                                                                        MD5:EC1381C9FDA84228441459151E7BADEA
                                                                                                                                                                                                                                        SHA1:DB2D37F3C04A2C2D4B6F9B3FD82C1BE091E85D2C
                                                                                                                                                                                                                                        SHA-256:44DDAB31C182235AC5405D31C1CBA048316CC230698E392A732AC941EC683BAD
                                                                                                                                                                                                                                        SHA-512:EE9EBBDC23E7C945F2B291FDE5EB68A42C11988182E6C78C0AB8FA9CB003B24910974A3291BCDAA0C8D1F9DFA8DF40293848FB9A16C4BE1425253BED0511A712
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w.e.........." .........@...............................................P......0.....`A........................................P................@...............@...!..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):5.000234308172749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SNDKWvhW/WYnO/VWQ4mWVx2RoXEKup3JdqnajKsztg/J:RWvhWvUexqoX7aJdlGsztgx
                                                                                                                                                                                                                                        MD5:4CF70855444F38E1EB71F9C3CD1C6E86
                                                                                                                                                                                                                                        SHA1:D06AEC4008D397756EE841F0E7A435D1C05B5F07
                                                                                                                                                                                                                                        SHA-256:A409E25A9D3C252CC0A5AF9DF85D3733E946087B06CD1FB2CF1BF640EB0D49BA
                                                                                                                                                                                                                                        SHA-512:A13A80645E679343AC5638E8AA6A03012F16200CB3A4637BE52A01AA3BEF854324A8ED1882CA91B304B9C47B6351B1FC1671F4DEDE5BE77BC208A71FE6029064
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.5308703760687745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6PjfHQduHWvhWjWYnO/VWQ4mWEwXBXEKup3JdqnajKsztqOT+:QfxWvhWjUoXBX7aJdlGsztqx
                                                                                                                                                                                                                                        MD5:FCD6B29932D6FB307964B2D3F94E6B48
                                                                                                                                                                                                                                        SHA1:BE560F8A63C8E36A7B3FA48FF384F99F69A5D4F7
                                                                                                                                                                                                                                        SHA-256:CFB2EE4E426BB00B76163C1A66CF8CFEF8D7450CBF9BBCE3BC9EB2053F51E0E5
                                                                                                                                                                                                                                        SHA-512:3EDFCF559F1E21870277358E6D266A1A0CEA68B163B11C73108F3B6A56006D20B51410A3B4EA39BF80906BF6C9D573E1072697CFCD6A3D37E3679EA54757C69F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...w............." .........0...............................................@............`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):304912
                                                                                                                                                                                                                                        Entropy (8bit):4.237308620636253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sQX9Xit++0PJSKtOJsgI3mwNdmLZ8mTQfsqxs0w:X9xacWIfsq6T
                                                                                                                                                                                                                                        MD5:7A6F920B2A26507F381C9926FF3955E9
                                                                                                                                                                                                                                        SHA1:3ACB49A2097FDC6DAB19D855CC9E926CEF2CC991
                                                                                                                                                                                                                                        SHA-256:ACC3E8888821897CFA2175C1B6FA244D3F8F3B9C19C7D10D13ABB2B5DBF0BD31
                                                                                                                                                                                                                                        SHA-512:300056DAF903C41155A9CC21FA50580F5730978B052BA3E1437DFFE21BA4BF8B85DD56BE64C4DAC38317497B5E06136CA7FF7FA2C569A79D93641A1ACCEC8DA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d...0..f.........." .........|...........................................................`.......................................................... ..xx...........~...)..............T............................................................................rdata..X...........................@..@.rsrc...xx... ...z..................@..@....0..f........l...l...l.......0..f........................0..f........l...................................RSDSu{1^E..G...(.u......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!..hw...rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436960
                                                                                                                                                                                                                                        Entropy (8bit):6.484129501687899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:5Ltbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGfqfZ:5LtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgA
                                                                                                                                                                                                                                        MD5:1B4D16976D164450EE4353CEAB9D2FB3
                                                                                                                                                                                                                                        SHA1:D23DA40ABDF340AD7EB4BDFE236A2958734B9187
                                                                                                                                                                                                                                        SHA-256:F3B3025DA537F2CDDCBEA252F3B9FD806059E1E780388AF1F17717A08A88B31D
                                                                                                                                                                                                                                        SHA-512:D542C07705357B4F14FECEBB741C1A350CFE4DC1D62E798FA3D2BE454B5F6F36C679382EEAAE870A19F0BD4CA0C17015C095B449B3FA8B2DE4110DDF134678D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.US..US..US..\+..YS...!..RS..US...S...&..tS...&..[S...&..\S...&..>S...&..TS...&y.TS...&..TS..RichUS..........................PE..d...a..f.........." .....,................................................... ............`A............................................t....................0..@....... )......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\coreclr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5125384
                                                                                                                                                                                                                                        Entropy (8bit):6.552501447077918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:gRRteSC8CjfXq6EoB/CEsRfJSa3Ed9A6oWUqCJ0OTVRSpih8IdCdTWOwxJ4aXmnF:oRqXB/CEA8JspP8LK1XHy
                                                                                                                                                                                                                                        MD5:3BAD185FF9C97D6BF3721BB5FCF94C93
                                                                                                                                                                                                                                        SHA1:C58124BAF2437902C1D1F2F955160D0976775F85
                                                                                                                                                                                                                                        SHA-256:AEC87D2F91D6A44DBA90F9BDEB7B3509D5A2C322E29A17CF29BCCEAE9092B6D9
                                                                                                                                                                                                                                        SHA-512:38639C67D78491074BB755177849A4E54EF9DF77E6CDF2EBAE3049D121A8AAB0987D5B442728CB05CC3B392112D298F6469E5E8256037B1BD1AADF897887E79F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.*.Nuy.Nuy.Nuy.6.y.Nuyj<qx.Nuyj<tx.Nuy.Nty.Ouy.;px.Nuy.;qx.Nuy.;vx.Nuys;vx.Nuys;{xlOuys;ux.Nuys;.y.Nuys;wx.NuyRich.Nuy................PE..d......f.........." ......<...................................................O.......N...`A.........................................LI.D...TMI......`O...... K.8.....N..)...pO.Ta....>.p.....................?.(...p.=.8.............<......JI.`....................text...a.<.......<................. ..`.CLR_UEF\.....<.......<............. ..`.rdata........<.......<.............@..@.data... .....I..:...PI.............@....pdata..8.... K.......I.............@..@.didat..8.....N......hL.............@...Section.......N......jL.............@..._RDATA...3... N..4...lL.............@..@.rsrc........`O.......M.............@..@.reloc..Ta...pO..b....M.............@..B........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58208
                                                                                                                                                                                                                                        Entropy (8bit):6.336737113725061
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:BIkf5nMEPz7omzpq/4Jw1AsDZq7v653eUu8su9WWD9zWVV:3n5tLX626u8b9WWpzWVV
                                                                                                                                                                                                                                        MD5:555F420D213590062A1EA6CCBA22FF93
                                                                                                                                                                                                                                        SHA1:1D0FCFAAE1FF46B8CC13AFF0BC8B23E8B6744061
                                                                                                                                                                                                                                        SHA-256:679EF868F8A1792862D066DE2E4A6DC2581F8EA1B449A27700D0ABD41F305840
                                                                                                                                                                                                                                        SHA-512:0CD0FEBCC0DE9F3C7A061FF667F9DCAA42708D12D94BB24C5452E7AFD81588AEB914FA9F7BADA471FBE35AAB86A329D22D00B7A7053EDC8BEAE24F8BE104E99C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x.................x.....x9.....x....Rich...........PE..d......f.........."......h...N.......).........@..........................................`....................................................................P.......`)......h.......T...............................8............................................text....f.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):140552
                                                                                                                                                                                                                                        Entropy (8bit):6.417221597504487
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:/XY8Ja8dy1+iLfBcGPUZZceOiU8mJ/QQc962jqc413OygrxkwFOZiLazze:fLgDL+vU8mpcoOygrxk7Z1ne
                                                                                                                                                                                                                                        MD5:EB426FB0169349BD00996AD44A4DBCFB
                                                                                                                                                                                                                                        SHA1:E4310867F2A65106E8651B6896C6874C86DC5D9D
                                                                                                                                                                                                                                        SHA-256:7E71B48980907AD28B686454DBBD7AFFEB31EB5D0D483F10726318E78C2FA697
                                                                                                                                                                                                                                        SHA-512:CA18E9C294180E8B541E0B60EA1EA82F9E96E9FBD00512A183DF4FF02AC305572D7036C03CD222DE048E9D1F1AA3A8AC0CC479FEA21F8772F11CF62272EB8276
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................+.......*.......-......./......./.{.....'......................,.....Rich....................PE..d...8..f.........." .....^..........P........................................P......b.....`A............................................(...(........0..........|........)...@..........p.......................(... ...8............p...............................text....\.......^.................. ..`.rdata..Tx...p...z...b..............@..@.data...............................@....pdata..|...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):394504
                                                                                                                                                                                                                                        Entropy (8bit):6.310874586526877
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HBGjtNkrBCdJeD1QL3sQy8XyV0l0gzPI37VPzBzrBUh9epO1BE/XW9X:HBGjtNkU/rsQy8XyxnQaO0XW9X
                                                                                                                                                                                                                                        MD5:E91B1F5F3C422A8FABD79B2AB60D7534
                                                                                                                                                                                                                                        SHA1:24EA312FFA45D6611A4A487F7BD8185BF9E62F56
                                                                                                                                                                                                                                        SHA-256:3F08B69309BFE4B910D35AE6739EE8F650CB94428AE546222038DECD7BF102F7
                                                                                                                                                                                                                                        SHA-512:8E8B028123A710661CDD68F46A789186E3D73E8946B92582695D8A006854C92994DEBCD461E723EBC04E62499903D617B5D7568F20D79452FAF2ACCB21086200
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ux.U..YU..YU..Y.a.X_..Y.a.X_..Y.a.X...Y\l.YG..Y.f.XP..YU..Y...Y.a.XH..Y.a.XT..Y.a.YT..Y.a.XT..YRichU..Y........PE..d......f.........." .....D...................................................@............`A............................................ ... ........ ..........$0.......)...0..........p.......................(.......8............`...............................text...,B.......D.................. ..`.rdata...F...`...H...H..............@..@.data...............................@....pdata..$0.......2..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320504
                                                                                                                                                                                                                                        Entropy (8bit):6.3740433775574274
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:I3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDH4Pecta:I7s7jsjS4znnqyIn7TrRUa
                                                                                                                                                                                                                                        MD5:5D5D12336DA85008B37919C795C56607
                                                                                                                                                                                                                                        SHA1:30F93505D325EFB2674C5F18CBD7603C0544F0EA
                                                                                                                                                                                                                                        SHA-256:70252416E6CB744F36B84AA3834C0EE9DFC3527EE97133DDD6AED0A2F178201C
                                                                                                                                                                                                                                        SHA-512:CC913259E618514AB7C7779C846C36E394CEF0EEA344DB1B9DB90B796525CD9F53987D927FDA94B28AB5E73B68FB9F258FDB5FE041B32D59AFFCB4E444AAE8C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d...v..f.........." .....(...................................................P............`A............................................p...`........ .......`..........8&...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320504
                                                                                                                                                                                                                                        Entropy (8bit):6.3740433775574274
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:I3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDH4Pecta:I7s7jsjS4znnqyIn7TrRUa
                                                                                                                                                                                                                                        MD5:5D5D12336DA85008B37919C795C56607
                                                                                                                                                                                                                                        SHA1:30F93505D325EFB2674C5F18CBD7603C0544F0EA
                                                                                                                                                                                                                                        SHA-256:70252416E6CB744F36B84AA3834C0EE9DFC3527EE97133DDD6AED0A2F178201C
                                                                                                                                                                                                                                        SHA-512:CC913259E618514AB7C7779C846C36E394CEF0EEA344DB1B9DB90B796525CD9F53987D927FDA94B28AB5E73B68FB9F258FDB5FE041B32D59AFFCB4E444AAE8C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d...v..f.........." .....(...................................................P............`A............................................p...`........ .......`..........8&...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1268256
                                                                                                                                                                                                                                        Entropy (8bit):6.353781583662467
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:ZZdZVbcj9cSuINr2JeOayeFbpo7iE8o3c:LdZVbe9dNVOay8be7iTo3c
                                                                                                                                                                                                                                        MD5:04520F980CDAE284E8E277A5EEEEDDE0
                                                                                                                                                                                                                                        SHA1:553717161DB99170BF43A552F5ADE7D62D595C88
                                                                                                                                                                                                                                        SHA-256:0D2BAD6FB84641FB0C314A885A43659733A2FFE4FD30038D686D8943215085CD
                                                                                                                                                                                                                                        SHA-512:B6931CA1FB8E15E3EADA725477786CEFF1A5AC92A2BB6E6350BF826EB416E5E1CE1BB5F545C926EE86AC21B25F8B7569486F9A92E0BD237088482A9A5AE948A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.jy4.jy4.jy4...4.jy4..|5.jy4..}5.jy4..z5.jy4'.}5.jy4'.x5.jy4.jx4:jy4>.z5.jy4>.p5.jy4>.y5.jy4>..4.jy4>.{5.jy4Rich.jy4................PE..d...o..f.........." .....n................................................................`A.........................................n..`....p.......`..........D....4.. &...p......`...p.......................(......8............................................text...5l.......n.................. ..`.rdata...............r..............@..@.data...x............t..............@....pdata..D...........................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58664
                                                                                                                                                                                                                                        Entropy (8bit):5.651805521522887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:v8zO+8uP8x/A15A4HI4gJl01Qa7ICltVtYFClobY9zJQ+M:kzO+8uA/A15A4o4gJq1DI+tEi4QzmH
                                                                                                                                                                                                                                        MD5:FBB5BF650AAEA448D918B2CEFE709039
                                                                                                                                                                                                                                        SHA1:D9A7B45DD8F22D24089DE96559D3BAC4D431FA47
                                                                                                                                                                                                                                        SHA-256:060AEFDEBF10E01A664A63C4330137DA0C0CC9F01A82E1FB09981E0369A7D365
                                                                                                                                                                                                                                        SHA-512:F34556DBA9EA69FCE8BC2D0EB95AB16048EEC1603F7CC9107F4ADE445A0694FE35DF120D21A42DA44B2516839191912E29CDA88685E67F5E2AD02DC9CE98128D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<............." ..0.................. ........... ....................... ............`.................................l...O.......(...............()..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P .............................................................BSJB............v4.0.30319......l...pL..#~...L..._..#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....*-.........#.M...&.M.....M...M....h..)...$'....".2.....2...&.2..v$.2... .2.....2.....2...$.2..x..2...1.S.....S..5..]...$.M.................L.....L.....L..)..L..1..L..9..L..A..L..I..L..Q..L..Y..L..a..L..i..L..q..L..y..L.....L ....L.....L..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147120
                                                                                                                                                                                                                                        Entropy (8bit):3.8679598076564816
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ZtgZms10iHvh7x8SKJlZ4vCCk7nw55IvZ4MgSZctpoEXXRWfzy:ZtgZ/aSKlZ4ZGnwmUS4ScRg2
                                                                                                                                                                                                                                        MD5:354AF4403A04CA4CAF359981635D08D4
                                                                                                                                                                                                                                        SHA1:A447720776EE112E45E08CFF574123A54ABD4A08
                                                                                                                                                                                                                                        SHA-256:15B115DEC61C47C0C10C49E98513EA8E4C83A9E2FC1F562F30FDB2CC1F620643
                                                                                                                                                                                                                                        SHA-512:BAABAB57981A6E7476FD9716FDB34585A5AA443067E2BFAADB0A79F2F7AAFFA31DEAD4B5559E43327EA0E3AE4A89CF131245C6C5852334906D0CC465E51F2230
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d...8..f.........." .........................................................@......f.....`.......................................................... ..`................(..............T............................................................................rdata..X...........................@..@.rsrc...`.... ......................@..@....8..f........j...l...l.......8..f........................8..f........l...................................RSDS.v...lbG..}.c.......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....;.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):517032
                                                                                                                                                                                                                                        Entropy (8bit):6.327188439808119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DD4t2kjj3Ueh/9WoJcDSdiA9HuUrUb9KcvYCxe3Rw42SISaVGxQJyRMq1KsLGjrT:DDrkjjUoJcDSdiw4QcO3RoS9MV
                                                                                                                                                                                                                                        MD5:B5D0F85E7C820DB76EF2F4535552F03C
                                                                                                                                                                                                                                        SHA1:91EFF42F542175A41549BC966E9B249B65743951
                                                                                                                                                                                                                                        SHA-256:3D6D6E7A6F4729A7A416165BEABDA8A281AFFF082EBB538DF29E8F03E1A4741C
                                                                                                                                                                                                                                        SHA-512:5246EBEAF84A0486FF5ADB2083F60465FC68393D50AF05D17F704D08229CE948860018CBE880C40D5700154C3E61FC735C451044F85E03D78568D60DE80752F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................................................................7...2......2......2.7....._....2......Rich............................PE..d.....Mb.........." .................E.......................................0.......H....`A........................................0y..|....y....... ..h........>.......'... ..........T...............................8............... ............................text...z........................... ..`.rdata...{.......|..................@..@.data...p2...........r..............@....pdata...>.......@...~..............@..@_RDATA..............................@..@.rsrc...h.... ......................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101640
                                                                                                                                                                                                                                        Entropy (8bit):5.506576792775679
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:XiTrnaN0HjO8MZYq5V4bgDHsPdPpwSJ5L3Akcg9Qjei+azJ:maN8qZYe4bgDUnNKjeu1
                                                                                                                                                                                                                                        MD5:24DE069D45146E3C9C58241640EBC228
                                                                                                                                                                                                                                        SHA1:7ADA4AFFD7F72B83888B9A2E6B6A3CA9F6A8498A
                                                                                                                                                                                                                                        SHA-256:3B9D2E148DA3B035B12DC0787F8C5B23EC502B2428F6593A1B5C65BF527A3D5C
                                                                                                                                                                                                                                        SHA-512:6136C2954C59BBC0B26CD8E99AA3A2523A62F9AC90F415F3E74206D638762BF5E46E8B9DD72FD30F50CFC1997F2F8BD9D09BA160ADE9B6D008BADA6B46CEFE3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xr..........." ..0..Z..........6x... ........... ..............................p.....`..................................w..O.......8............d...)...........w..T............................................ ............... ..H............text...<X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H.......P ..DV...................v......................................BSJB............v4.0.30319......l.......#~..,.......#Strings.....R......#US..R......#GUID....R..P...#Blob............T.........3................................U...(......H.........5*....;*....'8.........., A...7.J..P4*U..5#*U...:*U..n7*U..&1*U....*U.../*U..(7*U...(*U...T-..../-...i&....7*................./...../...../...)./...1./...9./...A./...I./...Q./...Y./...a./...i./...q./...y./...../. .../...../...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1122768
                                                                                                                                                                                                                                        Entropy (8bit):6.6466118295886165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
                                                                                                                                                                                                                                        MD5:3B337C2D41069B0A1E43E30F891C3813
                                                                                                                                                                                                                                        SHA1:EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
                                                                                                                                                                                                                                        SHA-256:C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
                                                                                                                                                                                                                                        SHA-512:FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Oct 25 18:49:52 2024, mtime=Fri Nov 8 11:51:35 2024, atime=Fri Oct 25 18:49:52 2024, length=4642304, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2267
                                                                                                                                                                                                                                        Entropy (8bit):3.5015207732896685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:8G9iJEedOE4q2Ke1UkAlfdQ4dGdQcQTUUMCyfm:8G9FedOpJUzlfdtdGdlxH
                                                                                                                                                                                                                                        MD5:170B0ADCB1A52F6056EB44505475EAE3
                                                                                                                                                                                                                                        SHA1:18D973343F4C8A9C611F112640554BEE42825952
                                                                                                                                                                                                                                        SHA-256:59C78BE771C79260C3AA64D0A4BEA9CEA8B1D8DF2E6CB4A2A44DBA8D79B3A540
                                                                                                                                                                                                                                        SHA-512:4AC076CF92F5AD365543C1259F1B64F1EF2454A347A959B8BD8B2AE61880ED26C118671FCA3C865FFE67048E41DC84B95BE9629465FEA3ED2DDF22076830C82B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. .......'.......1......'....F.....................G....P.O. .:i.....+00.../C:\.....................1.....hYqf..PROGRA~2.........O.IhYqf....................V.......s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....hYqf..SPLASH~1..D......hYqfhYqf............................s.S.p.l.a.s.h.t.o.p.....j.1.....hYqf..SPLASH~1..R......hYqfhYqf............................s.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e.....T.1.....hYvf..Server..>......hYqfhYvf...........................f..S.e.r.v.e.r.....f.2...F.YY:. .SRServer.exe..J......YY:.hYrf....'.........................S.R.S.e.r.v.e.r...e.x.e.......t...............-.......s...........7..c.....C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe..T.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.p.l.a.s.h.t.o.p.\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e.\.S.e.r.v.e.r.\.S.R.S.e.r.v.e.r...e.x.e.8.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.p.l

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\50d404.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878667758876642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:CA547B71F62C449C8E365701212469D9
                                                                                                                                                                                                                                        SHA1:43D9688CB60427723CF098896D762B010487BBEE
                                                                                                                                                                                                                                        SHA-256:C9CECDD28F5FE29825D83E1C3F022462926DE9AF99D388662D8C62B16D78E621
                                                                                                                                                                                                                                        SHA-512:6EBE3885CC2DDAD0C8579ECE4344D6C3B75929E389270AABD409ECDEA3772F7BAA1B866E0F4A37E706441C8A17D1E243CB9CD81B659FEC42DB69FCFFF1FA6F2E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d406.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878667758876642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:CA547B71F62C449C8E365701212469D9
                                                                                                                                                                                                                                        SHA1:43D9688CB60427723CF098896D762B010487BBEE
                                                                                                                                                                                                                                        SHA-256:C9CECDD28F5FE29825D83E1C3F022462926DE9AF99D388662D8C62B16D78E621
                                                                                                                                                                                                                                        SHA-512:6EBE3885CC2DDAD0C8579ECE4344D6C3B75929E389270AABD409ECDEA3772F7BAA1B866E0F4A37E706441C8A17D1E243CB9CD81B659FEC42DB69FCFFF1FA6F2E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d407.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53071872
                                                                                                                                                                                                                                        Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                        MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                        SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                        SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                        SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                        C:\Windows\Installer\50d40a.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53071872
                                                                                                                                                                                                                                        Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                        MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                        SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                        SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                        SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                        C:\Windows\Installer\50d40c.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d418.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d419.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.35 (x64)., Template: x64;1033, Revision Number: {76657AF8-AF4E-4FA9-9A39-80AC267D9B11}, Create Time/Date: Fri Sep 20 22:46:46 2024, Last Saved Time/Date: Fri Sep 20 22:46:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27254784
                                                                                                                                                                                                                                        Entropy (8bit):7.993818546625114
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:393216:S9tkUbkbvqusHBmlh8dvMt0NDf8K/36n8lxjNnLBKopkJUjy/AlhxH169Dqnw+Oz:24qu1lMDf8Kyn83jNltkJ7JGnTOaTm
                                                                                                                                                                                                                                        MD5:D9F7AE6A57AF83B652711426C4834045
                                                                                                                                                                                                                                        SHA1:98D255AECDBFD1BAE9FF533D4C7E5DBE5D0E1833
                                                                                                                                                                                                                                        SHA-256:AF1319821632F2CEB79C61B4CA6EB53A6341FBA295C02716418216857AF7F4E0
                                                                                                                                                                                                                                        SHA-512:5C7DB8C0617125DEB27DE37B056FEEAEAF18585A12AD347A6E6C132AE438E1EB0F27180BC700BD8322E5D5A30E7CEFA62B123E7B0B9CD85E1B8605C0B195BE03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d41c.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.35 (x64)., Template: x64;1033, Revision Number: {76657AF8-AF4E-4FA9-9A39-80AC267D9B11}, Create Time/Date: Fri Sep 20 22:46:46 2024, Last Saved Time/Date: Fri Sep 20 22:46:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27254784
                                                                                                                                                                                                                                        Entropy (8bit):7.993818546625114
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:393216:S9tkUbkbvqusHBmlh8dvMt0NDf8K/36n8lxjNnLBKopkJUjy/AlhxH169Dqnw+Oz:24qu1lMDf8Kyn83jNltkJ7JGnTOaTm
                                                                                                                                                                                                                                        MD5:D9F7AE6A57AF83B652711426C4834045
                                                                                                                                                                                                                                        SHA1:98D255AECDBFD1BAE9FF533D4C7E5DBE5D0E1833
                                                                                                                                                                                                                                        SHA-256:AF1319821632F2CEB79C61B4CA6EB53A6341FBA295C02716418216857AF7F4E0
                                                                                                                                                                                                                                        SHA-512:5C7DB8C0617125DEB27DE37B056FEEAEAF18585A12AD347A6E6C132AE438E1EB0F27180BC700BD8322E5D5A30E7CEFA62B123E7B0B9CD85E1B8605C0B195BE03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d41d.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.35 (x64)., Template: x64;1033, Revision Number: {4E46258D-E612-40D6-A98B-8F64771E3561}, Create Time/Date: Fri Sep 20 22:45:38 2024, Last Saved Time/Date: Fri Sep 20 22:45:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.764930942879866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2F1vYgTqU8VKIvZUlkj/cBhZeK4lu/XdmYw:Q/THWvZgkjcDefMFm
                                                                                                                                                                                                                                        MD5:D8BEAFDEDBD946A6A8FC665AF000ED79
                                                                                                                                                                                                                                        SHA1:2BFE61EADB6172CB71CEA0155A7304630B28B13E
                                                                                                                                                                                                                                        SHA-256:671E5EF4766CAC4AA479E7445F52892D1807F63269BDA8159A584C540FB56706
                                                                                                                                                                                                                                        SHA-512:2774D5A5158BCE463819DBC2DDC065DA502A1C6C75A800A815BEEB028C95000263F42B6E6012FC979A3A5AC51B9027B231685739F7A0D7043178762B1602A9B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d420.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.35 (x64)., Template: x64;1033, Revision Number: {4E46258D-E612-40D6-A98B-8F64771E3561}, Create Time/Date: Fri Sep 20 22:45:38 2024, Last Saved Time/Date: Fri Sep 20 22:45:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.764930942879866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2F1vYgTqU8VKIvZUlkj/cBhZeK4lu/XdmYw:Q/THWvZgkjcDefMFm
                                                                                                                                                                                                                                        MD5:D8BEAFDEDBD946A6A8FC665AF000ED79
                                                                                                                                                                                                                                        SHA1:2BFE61EADB6172CB71CEA0155A7304630B28B13E
                                                                                                                                                                                                                                        SHA-256:671E5EF4766CAC4AA479E7445F52892D1807F63269BDA8159A584C540FB56706
                                                                                                                                                                                                                                        SHA-512:2774D5A5158BCE463819DBC2DDC065DA502A1C6C75A800A815BEEB028C95000263F42B6E6012FC979A3A5AC51B9027B231685739F7A0D7043178762B1602A9B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d421.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.35 (x64)., Template: x64;1033, Revision Number: {C44636B0-CF91-423F-8EBB-E5C6C9CC18A4}, Create Time/Date: Fri Sep 20 22:45:28 2024, Last Saved Time/Date: Fri Sep 20 22:45:28 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.575095120429218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:4gJcuBRFvqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:46zBRlHWvZgkjcDefMFm
                                                                                                                                                                                                                                        MD5:C06D2181660306AE33B8D5E37DD4E98D
                                                                                                                                                                                                                                        SHA1:2B7F6A21BDB9E2414C3B13AA357C395512A86499
                                                                                                                                                                                                                                        SHA-256:D09C105D0C6E5D89D4E53499288135FF53AAAC76EE1E11470EC1AE49CC4A485E
                                                                                                                                                                                                                                        SHA-512:96205082A1C94370D7D4DA90C319A0D0E3AF8FB53B2A33097C86A0D8EC14963745A940E38FB31B68394847AA80467E41CA1B5F83685F25B779521676DBA1EA4C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\50d424.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.35 (x64)., Template: x64;1033, Revision Number: {C44636B0-CF91-423F-8EBB-E5C6C9CC18A4}, Create Time/Date: Fri Sep 20 22:45:28 2024, Last Saved Time/Date: Fri Sep 20 22:45:28 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.575095120429218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:4gJcuBRFvqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:46zBRlHWvZgkjcDefMFm
                                                                                                                                                                                                                                        MD5:C06D2181660306AE33B8D5E37DD4E98D
                                                                                                                                                                                                                                        SHA1:2B7F6A21BDB9E2414C3B13AA357C395512A86499
                                                                                                                                                                                                                                        SHA-256:D09C105D0C6E5D89D4E53499288135FF53AAAC76EE1E11470EC1AE49CC4A485E
                                                                                                                                                                                                                                        SHA-512:96205082A1C94370D7D4DA90C319A0D0E3AF8FB53B2A33097C86A0D8EC14963745A940E38FB31B68394847AA80467E41CA1B5F83685F25B779521676DBA1EA4C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI1954.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718639
                                                                                                                                                                                                                                        Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                        MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                        SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                        SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                        SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI1E66.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718639
                                                                                                                                                                                                                                        Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                        MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                        SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                        SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                        SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI232A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182768
                                                                                                                                                                                                                                        Entropy (8bit):6.29474871459677
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                                                                                                                                                        MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                                                                                                                                                        SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                                                                                                                                                        SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                                                                                                                                                        SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI25CB.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2687.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2FFE.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI406.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718639
                                                                                                                                                                                                                                        Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                        MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                        SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                        SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                        SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI44DF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435979
                                                                                                                                                                                                                                        Entropy (8bit):6.651489456463589
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:et3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:+zOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:91712E8FC693C67AD3946A7B7FCD5F9E
                                                                                                                                                                                                                                        SHA1:7FCD2A6108C328BF5265B4EC8281553F22534A38
                                                                                                                                                                                                                                        SHA-256:8D29429504BBA3F482189A2091AB0384359E3DC730CE2FCAD0ABBA41F82BAF67
                                                                                                                                                                                                                                        SHA-512:89D3D19D4638129E38406179FAE54A72A55D864D629A8DCA19937581AADF476F4ECD59A8660F7C77EF5F747B5B6B4F8CEBA284CF793F789460464655D69FF7F5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI44DF.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI44DF.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..ateraAgentSetup_1_8_7_2.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.......

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI47FD.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4AFC.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B7A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI624E.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.647787264508923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:6t3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsT:CzOE2Z34K+zOE2Z34Ky
                                                                                                                                                                                                                                        MD5:F7735CDDB5BDD0FEE78164A2AD04AC35
                                                                                                                                                                                                                                        SHA1:00BD730320BCE3EF8168446108736B512EC1BBD8
                                                                                                                                                                                                                                        SHA-256:FA09894F96CF9AD5BC019025EEB55FACDEDF7693BC38120D515585355A2BBBEA
                                                                                                                                                                                                                                        SHA-512:341EACDC2D5DD4BCEBCA03A79F8A7E93029D00AB2551735EA55384DAFC67C1DA34A61DF86D451B27CE095E5288AEA43F62C1525F631D4D6EA9F9F6C33E888851
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI624E.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI624E.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI625F.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI62ED.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI634B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68CB.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7DF9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7F14.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):84904
                                                                                                                                                                                                                                        Entropy (8bit):5.644590229768173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8fsMvnDNpt3Hss+bEQjDhvBfHkuMfw9HcISmiWessgt7S2tsMv2XsP4G3IJ7k3Nw:isMvnbN+bxXIW3u
                                                                                                                                                                                                                                        MD5:F956CEF5F12F7DCB604B3BB38E584EAB
                                                                                                                                                                                                                                        SHA1:CFC90F8AB3C2B81732F0C9E0B0C4B084454663CC
                                                                                                                                                                                                                                        SHA-256:51B4DDFF798E02A8A721A55886BD0794B5347A010783546E51F09EC35972B138
                                                                                                                                                                                                                                        SHA-512:08D7AC837D509B815E41D0142927385E7B903783018C6AA126833ED0F8225F446DEE4586C1DEA4C49C6A43F0093E4EC6BDAB5F962BC1F1BB161A67FD066087F8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}%.Microsoft .NET Runtime - 6.0.35 (x64)!.dotnet-runtime-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{76657AF8-AF4E-4FA9-9A39-80AC267D9B11}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{BCDE6883-BAB7-54AB-B504-D8C3F75FDB2A}S.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_48.140.21458_x64\Version.@.......@.....@.....@......&.{F621578B-E081-5FC4-B0C5-A151B816DC51}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version.@.......@.....@.....@......&.{B0658A77-9697-57AB-AEF0-C49F5788A264}^.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll.@.......@.....@.....@......&.{120A93F0-81ED-50CA-84

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9C80.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9DAA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9E09.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2805
                                                                                                                                                                                                                                        Entropy (8bit):5.773187588639355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:xLgodt08v2Oh0giUHMb6P3q2Ym1kSD8SuhJB4yKeU1Den6DZk3EVltibVq:xLgodtfO40YHP2YhYJCZe6i6DZk3EPQI
                                                                                                                                                                                                                                        MD5:2CB5F04D7D1293A1998A3EA05C69E330
                                                                                                                                                                                                                                        SHA1:EC71D36BD9DD34C7EADD3490840E94465CF3D3E2
                                                                                                                                                                                                                                        SHA-256:F07E0603FF819CC30DD1D3A0DDD493DD47E65D0EC843DA76F47F8699BA2C65E8
                                                                                                                                                                                                                                        SHA-512:2DDA60153922859FFFEDF58DA9DC80BE3E13E2997D451AAC23EF7D2A2E4246040B87726BC3CC425A899816CE4889BCEF34A7B86D72C3C739B210D2C14A0A599A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E91F8AC1-4917-455E-AACA-B40B193C7A62}..Microsoft .NET Host FX Resolver - 6.0.35 (x64)!.dotnet-hostfxr-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{4E46258D-E612-40D6-A98B-8F64771E3561}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3262256-B959-50C5-91BD-D2C1656236F1}W.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.140.21458_x64\Version.@.......@.....@.....@......&.{B59DD035-01D3-57CD-A06D-224838439FEA}3.C:\Program Files\dotnet\host\fxr\6.0.35\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Dir

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9EC5.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA02D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA07D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4254
                                                                                                                                                                                                                                        Entropy (8bit):5.722564619765489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:xLmgjdqJLaU3gtEVPQHLxgbmt3tFbSuce6OLDDkrQEPbdBZ:d3qEUweUeKJLSuce6hkWbF
                                                                                                                                                                                                                                        MD5:C87D5806791414EB7DEFD771FC1938B4
                                                                                                                                                                                                                                        SHA1:3302E3A6807EEA7339C7F92DBC6E8F6AD7245271
                                                                                                                                                                                                                                        SHA-256:4F3DEA509A8AE7074FE93F5D1B370A539191BEDBD18BC6D6878F22CA5E47A8A8
                                                                                                                                                                                                                                        SHA-512:A7BFA40204ED8D152B3AB4D20088806972CA3881942BBBF96F265ABB0736D6C1B89451DB42BFD0F3E751D9B23332EF582F9589FF6E4EFC957C6FF47D2ED3AB34
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}".Microsoft .NET Host - 6.0.35 (x64)..dotnet-host-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{C44636B0-CF91-423F-8EBB-E5C6C9CC18A4}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}X.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version.@.......@.....@.....@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}".C:\Program Files\dotnet\dotnet.exe.@.......@.....@.....@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}B.22:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\sharedhost\Version.@.......@.....@.....@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA262.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAD74.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182768
                                                                                                                                                                                                                                        Entropy (8bit):6.29474871459677
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                                                                                                                                                        MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                                                                                                                                                        SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                                                                                                                                                        SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                                                                                                                                                        SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAE31.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):171064
                                                                                                                                                                                                                                        Entropy (8bit):6.093983981233022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jq44uv69SIrScxe0IZNJ+x+uk+hZPDFNkXAO4VR:jfn2Slcxe0Fc9CcQO2
                                                                                                                                                                                                                                        MD5:E80F90724939D4F85FC49DE2460B94B5
                                                                                                                                                                                                                                        SHA1:512EA4DEBA1C97CC7EC394BCE0E4A32CD497176E
                                                                                                                                                                                                                                        SHA-256:8041D3CCBAFA491D35F70030C3AFEBA683B0235BED24F242878D04C7E87B8687
                                                                                                                                                                                                                                        SHA-512:9494F1CD058DC3923E4F562D8ED2EDF3D252F519EFC6DB4F1B5289D8A1B841A6CB927E14D33DAB98E0BD4D22A5A473B8CD9424F77213527FBE0C183126356767
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L...`.a...........!.....p...$.....................................................P...................................m............`..p............x..8$...p.. .......................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB18D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718639
                                                                                                                                                                                                                                        Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                        MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                        SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                        SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                        SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC6CB.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718639
                                                                                                                                                                                                                                        Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                        MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                        SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                        SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                        SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICAD4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):563559
                                                                                                                                                                                                                                        Entropy (8bit):5.783987701414106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4wiB7f8m8end5Xy+1kvI8k9W91iVXuXskIhh:4Lh8edk+1kv5K+Whh
                                                                                                                                                                                                                                        MD5:A639FB802D0683F9EB03D74B3A5CC6AD
                                                                                                                                                                                                                                        SHA1:672BCA03DEB8E2C5FFB020EB37776122D8AF779F
                                                                                                                                                                                                                                        SHA-256:DFE49DB96661A55845BE0425FC35DB2D0ABBB8D74E0FE407217D90C86212CB79
                                                                                                                                                                                                                                        SHA-512:9E5FA198C49773380697999BFE68684FF6BEE56A206E20F67609414E873A1CF6A4F2AA23C32ECA569F787BF354238B08316FAFBAFC7FEB403FA124D2AA9E49EB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@q>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}2.C:\Program Files (x86)\Splashtop\Splashtop Remote\.@.......@.....@.....@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}M.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm.@.......@.....@.....@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}@.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\.@.......@.....@.....@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}Z.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_dr

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICED.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICED.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID54C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID54C.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID81C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81C.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEAF9.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEAF9.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIED2C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437323
                                                                                                                                                                                                                                        Entropy (8bit):6.648077358787112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsK:dzOE2Z34KGzOE2Z34K1
                                                                                                                                                                                                                                        MD5:E7DD2E0B246B2CAE9E1AF32CAEF2A5B3
                                                                                                                                                                                                                                        SHA1:A37ED03029810C580B981B37959E086614BDADDD
                                                                                                                                                                                                                                        SHA-256:977C63727DEE92B1DE2376E2EC952D78DDB6C04A43F145F30AAE4DC5BDEA5A46
                                                                                                                                                                                                                                        SHA-512:0DF0EAEFD6DD5DD8BFF67195023438760CBA9C442FA06142B1616CF3468B9A936FA4A9214CCCE4797D4DD35CC5178A3A2C56AEDA735AA8489906BF576D3BA93A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIED2C.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@R>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..z8yxMFhhZI.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[...................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIED5C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEDAB.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0E8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIFF43.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14156720
                                                                                                                                                                                                                                        Entropy (8bit):7.5774034236045535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:393216:MB9FTi+H/9aOq5B9FTi+H/9aOqwB9FTi+H/9aOqN:sx/YOqRx/YOq4x/YOqN
                                                                                                                                                                                                                                        MD5:DA76F3FB31EFDC61D54CB3DE76316533
                                                                                                                                                                                                                                        SHA1:01011E6354E69241F8D6D9137039592123B28E76
                                                                                                                                                                                                                                        SHA-256:5D4AC67E1DDFFADCEA3E5355AC9D205549102A89D381D010CA194FFAAF389B23
                                                                                                                                                                                                                                        SHA-512:81C32EF380C443EFC9C6C26215C70208992A417D1D53ADC21582557AAB9731EBE7E79259A46C4CEACDE6CA59817E05EA63595D775FD49FB2BB3BC295EF861DF5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@w>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........Util_UpdateSetting....J...Util_UpdateSetting.@....../.H.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f...

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1727277438657633
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj6/AGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JSQI5wBTr/F
                                                                                                                                                                                                                                        MD5:79406F904CF99ABFC529D45DC7FC0042
                                                                                                                                                                                                                                        SHA1:E99D284C0029B548B1CC13EBC33D7BC4B20B0899
                                                                                                                                                                                                                                        SHA-256:3EC527F3166AB8234C32C1388622BE54A4D66DD1E2D76834D76C6E355A70FE2E
                                                                                                                                                                                                                                        SHA-512:0B08AC71175537992BA3948298E9D2D16348D7DAE3A51B4BC8F1433D61C6BB10E57F63EA8CE411DAFD74BCFA1CBED6A10A4382EEB82C2CB3B5446B42CB6FC942
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1627264751106523
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjvAGiLIlHVRpMh/7777777777777777777777777vDHFn5Np3Xl0i8Q:JVQI5chF6F
                                                                                                                                                                                                                                        MD5:5ECEE9EF63B459EFE48EC9BCD90001C5
                                                                                                                                                                                                                                        SHA1:5E0E443E559A8B4618D2CB0970E4DF8DAB51B247
                                                                                                                                                                                                                                        SHA-256:042422FF422E9B8731ACDAB4C24FF94EF6DDFAD904F6A9DADC133E315E949E0D
                                                                                                                                                                                                                                        SHA-512:3E75FAB5FE9C3C57C6E6845C5A86F637E61FA86A0869085CE03A18F758B6918B5EC6BC1954AC0064EF171F09DAA88BC58042A1838ABFEC12741906BAE11DD3FC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{C59601A1-771B-426B-A9F7-6CACCAC4DB4E}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1728119673145738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjpAGiLIlHVRpph/7777777777777777777777777vDHFw6CbWl0i8Q:J3QI5d5CXF
                                                                                                                                                                                                                                        MD5:B6B8CC9EC1EDA212F03FE6B75E98A489
                                                                                                                                                                                                                                        SHA1:5923BCE8241F2161159DAFCD7B4C6F73EC627BC3
                                                                                                                                                                                                                                        SHA-256:8A121C7ECDBA7F0B798D514A5D56D0760595A67D0B5A10F0ACD611DBA942925A
                                                                                                                                                                                                                                        SHA-512:41B40A88218ACB559E261CC20E3A590226052A0379872A3FC1D251F34E9F0DB61346F1C49BC501D77CAAB726305AEE30E25F21A66C3E0CDC07D6F6AE0E63C103
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1750832178576214
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjuQAGiLIlHVRpUh/7777777777777777777777777vDHFxgIjNxKR/XlN:JvQI5E5NxKJ6F
                                                                                                                                                                                                                                        MD5:104AD2FF3992EFB3EF7B7713B23F3053
                                                                                                                                                                                                                                        SHA1:9C9B98A7FA965BEC4B870B9564F98A151C717A31
                                                                                                                                                                                                                                        SHA-256:E85BD9E78B92268AA0E5AD66941630E3793107DCAAA2EE4CC1EDCE85333E3163
                                                                                                                                                                                                                                        SHA-512:491BE87F0E2D1BABA31E1FB8069108CB6A57C7DCB9D3FD61FE2427757E7C928A2AEDAFB4FC4A81B184927CF2B71E05896CF31BC3352C2AA47E1656763CB4F63B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1650514196264836
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjvAGiLIlHVRpZh/7777777777777777777777777vDHF9it/l0i8Q:JFQI5tGiF
                                                                                                                                                                                                                                        MD5:C079844FDC412EB7800E7708D5666363
                                                                                                                                                                                                                                        SHA1:8321512B599D756BBC5B12802446A00ACF156F7C
                                                                                                                                                                                                                                        SHA-256:AB4575A2C63FB7377827EB122BAC028907A3C37593336834B14176F80D28636A
                                                                                                                                                                                                                                        SHA-512:D33677602639434EFE20993530042E5A349C2E402D8998E5C0E174105AFFB2E318744363B8A63DB4C450A3327FBF3A3011AA3F1DBDE8A97A2398146CAF744AB7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E91F8AC1-4917-455E-AACA-B40B193C7A62}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1738909205102068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjjAGiLIlHVRpUh/7777777777777777777777777vDHFjfIaqR/Xl0i8Q:JZQI5ElIaqJ6F
                                                                                                                                                                                                                                        MD5:08B97BA2D2304216FDFFBE2580DCF41B
                                                                                                                                                                                                                                        SHA1:B93078915027B525ABF84082F2E6275BD160634B
                                                                                                                                                                                                                                        SHA-256:44E81751F5D6890D7F8D236AF24E2E583105ECE208315A4D913F7D2DCC181E01
                                                                                                                                                                                                                                        SHA-512:20E8FE026D2B0420F39A970398FA3538068F3796B437D607E3EBF58930ECBDB5645DFCE43BC9B9CBD622A4592C00C0B5B117611A18BBBB9E73FAB857009E138B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6030511717708045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:V8PhTuRc06WXzAjT55ddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:4hT11jTtdWc93DONg
                                                                                                                                                                                                                                        MD5:4DA9A778EE6B0728A3C1B89FC4A645F6
                                                                                                                                                                                                                                        SHA1:3C20546707F63263DD5B48DB78C2FDB81D042FE7
                                                                                                                                                                                                                                        SHA-256:EADF7D1283E89DBF1DB25A68B8181170D32ABE065BC0ED65CB9F4A4223A48EBC
                                                                                                                                                                                                                                        SHA-512:89B91359A7AC58B1F0F0250BB6F645C02BB9F17A6D15D8EE7E4B1030D70DECBBAA3D6C41D54AE34F228E2C4B11C6E6269F3CFE798F6C01A5C5B54CDA3ABECCA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):454656
                                                                                                                                                                                                                                        Entropy (8bit):5.348929773767357
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:D7f8m8end5Xy+1kvI8k9W91iVXuXskIhT:/h8edk+1kv5K+WhT
                                                                                                                                                                                                                                        MD5:149336F319D9AE2CA49E49FC61E834AC
                                                                                                                                                                                                                                        SHA1:E00591F432E8B306A349D76BF280736E4509E49F
                                                                                                                                                                                                                                        SHA-256:9E06D2D011DA7F988CF974584BB9F2D780D2460DAE92B02FF13F50FC2B3ED2E8
                                                                                                                                                                                                                                        SHA-512:BF7BC7C5FCD881C2A2E19914A0C3D765BED36D63C3FF0D60C07DA4CB8072F45DA3BC0DE7605BFE83B23E0572F1B700C0B613C049DC613F7470C095AE7EC9931D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L......a.................@...................P....@.........................................................................4T..(........^...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....^.......`..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432221
                                                                                                                                                                                                                                        Entropy (8bit):5.375170980382992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau2:zTtbmkExhMJCIpErX
                                                                                                                                                                                                                                        MD5:7EE093A5E3A103DB07C4BE621146B206
                                                                                                                                                                                                                                        SHA1:F2B7EA259BE80CB41F363720979A96DD33898AA5
                                                                                                                                                                                                                                        SHA-256:A2046BEBC21C015CA94A03BE3484FB02C41F8755FF0B7C17E1DAB83F5F257E9F
                                                                                                                                                                                                                                        SHA-512:2E8B469F3472F1FDCACB7EDE3C4059BD88A60E390FCA0A2631D108282F209D71D9DC655FC0F00A6D96AE1B275163987322D2F41300BDBC83D1920379079F5E8C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.60721185299801
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq905h44TokOdbIadHzEPLnOkV5BR4gTmDqAR3z1Is:5t6ZlzEDnr5kNz1N
                                                                                                                                                                                                                                        MD5:91FA1EA174BEBC1127BA9ED5019809A0
                                                                                                                                                                                                                                        SHA1:1D11535AF259DCC9895C74B0DE11B8A3033A432C
                                                                                                                                                                                                                                        SHA-256:24D4282ECD46D28FB4B972CEA33D3A4F0627BA867BCE15DD5BE391779D3F1BAD
                                                                                                                                                                                                                                        SHA-512:84FA89DD06FAF6C349B3FF76CB065D73F72A46DC56FA02E0E24DB2E27FB2B75A8DBCCEABE8BDFC927EE5634E1E54EE877CE6D3BC0D0DAC595CFC76F234707274
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241107164323Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB.......`.< ._......20241107162701Z....20241114152701Z0...*.H.............~<1..k%..P.eV./...F..gP..$.SU3..'.....M.....O..N.....@cN.>...VD.......?.............C..P..mF.~i|+"..8K.G.e.FjEQ......~..z.<=Zk...:.......??.7|.h. ?.!.j..:.v....mUw[.Y...-!.^C...........*...w..(2n..DX..b.vl....M......]...Dbx...u".....oHg.N.[....~.....:).Q>...u<..b.....AT..I.\..yb2...s.B=..]_{Z.Q..{.B/)...YQ@...t._..9.....H.?.~..`%..<.q...P..V.....:....5.'^...~F..L..z.;K..]...\.M.1.@.PT..~^_JP.......pa+wu..J.ZO..;..6.:P.Z....~y.....O.W..G..A.9.\kT....#...........[v.$.$...f.P...L...

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.562070540258883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZSc5RlRtBfQwRhs5vCZgPVrVJEYbw7OIiVFQlb8PjcNCUAnqr/E:5i8cdZTRhG+gPZPfIgMb8PjcNCa/E
                                                                                                                                                                                                                                        MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
                                                                                                                                                                                                                                        SHA1:5E9BC182D48B8E86A61D8A3F4B5ADD9C88DA6800
                                                                                                                                                                                                                                        SHA-256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
                                                                                                                                                                                                                                        SHA-512:1054D82E5E1B2F2C1416D31F01FF2C172ACA8DCC31A622CDD959F918B78A474BD9B40A9B7316122A8262FAC24D6236860E2EADD665030A61D56C5C0A153F81C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241107184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241107184215Z....20241114184215Z0...*.H.............t.yl..<Y.&4S...*..).G...s.X.S.x....)l.ng.Jpe....-...}@....|.....J.\#(....]..}.......k/.a..v.I.w...6.W.`{.D..z.%.c.T".p....\....CX..L...u.n...6t.6..1W....f....m6.W....?..N...d.Q..1...H+..k..A.X..../&a.I....#..)..h.*.'..@...'s.~.i.X"...w.B...P\.K..3..V.5...A.-l..#.V...i...\.)=..G.ob....o............eTi.1...)k..+.e.?. :.X.0^.k.4.;.....S8....\.K.w#q..._m.F....(^.......}.\.}?...W....T.......)..#..{6QC...'....=....f.....>........{}.k..\...*.i.....e..F..1&.%.U.aAO....k....<....p?S.

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):408
                                                                                                                                                                                                                                        Entropy (8bit):3.9796020031693193
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKsMc+bs/ll2pEsdMhyfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhlz:o+AthymxMiv8sF3HtllJZIvOP20Z8oF
                                                                                                                                                                                                                                        MD5:07830BB672590405034A387B31690C1F
                                                                                                                                                                                                                                        SHA1:188CDA4A1BA3C2B4443E2567B19E924C00E92DA7
                                                                                                                                                                                                                                        SHA-256:13BE76870C9BCE49A1A22485D1DCA72049E4F895C1489638C39D445F572D6C39
                                                                                                                                                                                                                                        SHA-512:D7BFC10F6F1B53667004493F0BA27D1EB7610F222D9562A55A60BF4E7CDA1153B0551D8E64EAEAF62F2C66A9C4B8F00BC54D03D15557E66E5A3F9D6EE7D38755
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....$........1..(................xy.11...P...6...................P...6.. ............1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.c.c.8.p.W.v.3.e.y.M.Y.M.0.8.I.P.Z.f.5.%.2.F.0.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):3.976859013641937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKR55Plph1tswdyfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:XVhhdymxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:9D5D03B975045D91CB7DE803D15AEC97
                                                                                                                                                                                                                                        SHA1:D82685AE8345555CC1B314D8C774E5DB3451BFBE
                                                                                                                                                                                                                                        SHA-256:F520CC67C24120D962CBD76DF1B4EF8EC71A0B5221938CCE7211CFD09BA0FFC5
                                                                                                                                                                                                                                        SHA-512:E39D738CA6982AD1148F3B6DB1EF8D31058E9E4E6C406E93EAED8657D7B718354BEC38B225D318A29DFA703DF952156F78EB2ADA4BFE5ABF03A77402D1A7EA2A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(........1..(...................D1......6......................6.. ............1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\SRCF3E9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):326664
                                                                                                                                                                                                                                        Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                        MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                        SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                        SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                        SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.195984909074457
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JyYO25GLsHt2Z5OKjOL+0BWlm+GNb3MkSl:JRO2ILsNUOL+0BWlJN
                                                                                                                                                                                                                                        MD5:7795DF33FC7DD3AA62E0BC052F9DFBAD
                                                                                                                                                                                                                                        SHA1:EA227EC994561B5BCE01C5228F9C337286FBEC9C
                                                                                                                                                                                                                                        SHA-256:6AD47D714F3DD55B2FE9072E829542851D2ECF60CB88254002C60449E8ACA736
                                                                                                                                                                                                                                        SHA-512:DE11027F0CA32119EBBB17976ECBE6582AB6AF8CAA7CE522D75C4185DA722550F1F981064DB9BE6074EB1C6C096C933C2DE7EE42B1F31B4FEDC9982F87157F9D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241107190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241107190516Z....20241114190516Z0...*.H..............\%h......B.q.?..,7..O2@.Z9.Q.~6..b..........vo...(['.Qr...0..\..d.3c.o....A6......w.*.....R.......<mN(..q....F..C.q(...o.p.........%.'.T.j./.+....)4.}'..V..&H.PL...a...X.X@7.,0 .....'T>.P@V.....$..W...^b.y<z0.........".f...(U.w.).'!..6R.ve

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.538244021680764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq93k5h44TUqpqeLDTeV2ZeqhBwAksO9b8Sq0PtlRHwX6KluyUwVKvfsIg66:5hoqbyVs5ksO9btTPhdby8cBR
                                                                                                                                                                                                                                        MD5:29DD7378778C44788BAC45D70EA7B440
                                                                                                                                                                                                                                        SHA1:7A3C5E30C0C9A9BE505B18FD2C24422D5E3DBE56
                                                                                                                                                                                                                                        SHA-256:69354FF510301B85C14CC1ECD0E5B3C98308B820CFBCE483389A7B9A437F67D5
                                                                                                                                                                                                                                        SHA-512:9E67BEE1AE05B0F2408210A6662926CC9DA6EE2864820A4704ADFFAE9DD78B80E79EE32E83F5A5E35BED9603E82795A38570D56CC93384B82DC6254940079FE7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241107213702Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241107212102Z....20241114202102Z0...*.H.............'....P0.......<..Y.xj.H.......Y..0.......{9$^.....>...W;...?.....xD/-H.Xj. p.z......;]..1v..Kpv.....X...Hz...6.(P.J_..<.e...a.U@..wK.QO...R....Qs..K.w.t~. .-D)..1$.........U..%..*....$8:.*'x...@.Q.X..w.g.t:..(.M.2.......~.t.Y.5...|.m.....+..)$....L.b....\(...2.i...t..@.lUX...=......o..jq1..~W.GQH.-.b.....@{..x.k..J=.g...Sd..].H.(.'5A..@h,./..)..e.!..$..;[..`..X...<.c..._4c.3..QG.....Uz.<S~J.4;...[.T.....#.r=..m*... ?..=jr~.....E6.O...Z...=t.......w.....9.>...Z56l..$..]....%.B2#.)%4o.d!.:

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.562070540258883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZSc5RlRtBfQwRhs5vCZgPVrVJEYbw7OIiVFQlb8PjcNCUAnqr/E:5i8cdZTRhG+gPZPfIgMb8PjcNCa/E
                                                                                                                                                                                                                                        MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
                                                                                                                                                                                                                                        SHA1:5E9BC182D48B8E86A61D8A3F4B5ADD9C88DA6800
                                                                                                                                                                                                                                        SHA-256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
                                                                                                                                                                                                                                        SHA-512:1054D82E5E1B2F2C1416D31F01FF2C172ACA8DCC31A622CDD959F918B78A474BD9B40A9B7316122A8262FAC24D6236860E2EADD665030A61D56C5C0A153F81C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241107184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241107184215Z....20241114184215Z0...*.H.............t.yl..<Y.&4S...*..).G...s.X.S.x....)l.ng.Jpe....-...}@....|.....J.\#(....]..}.......k/.a..v.I.w...6.W.`{.D..z.%.c.T".p....\....CX..L...u.n...6t.6..1W....f....m6.W....?..N...d.Q..1...H+..k..A.X..../&a.I....#..)..h.*.'..@...'s.~.i.X"...w.B...P\.K..3..V.5...A.-l..#.V...i...\.)=..G.ob....o............eTi.1...)k..+.e.?. :.X.0^.k.4.;.....S8....\.K.w#q..._m.F....(^.......}.\.}?...W....T.......)..#..{6QC...'....=....f.....>........{}.k..\...*.i.....e..F..1&.%.U.aAO....k....<....p?S.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                        Entropy (8bit):3.442053455389887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKDW5r8lJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:LalkPlE99SCQl2DUevat
                                                                                                                                                                                                                                        MD5:CE1EB91EB0BA41FB3AB04563C0152080
                                                                                                                                                                                                                                        SHA1:2A9EA61162605969B1AF4D08C7C5022FE2DC65D6
                                                                                                                                                                                                                                        SHA-256:1BAE7590C8246D16A9BF91F43D797ECA467045CFDFAE4D8C6CC3AC83BD87A383
                                                                                                                                                                                                                                        SHA-512:736D2B0ED09180D98DB2EFF539DFCDAC3BE45AE9C250AF0C20B3D77BF97CEBAD8F93C349F19FC0F67854D26179142C5C9B31C305D4E5850BBE83591D36A6B0B3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ............1..(................................................".17... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.9452857171427014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:1zUItvfKk7zmxMiv8sFzD3quqDkPh8Y2ZM:hU94zmxxvpD7YkiC
                                                                                                                                                                                                                                        MD5:14ADBB3878DE572F2E4D076F5FF22E42
                                                                                                                                                                                                                                        SHA1:5C4E0E401D9B08C15A42C56007E2F8170E4D06E5
                                                                                                                                                                                                                                        SHA-256:8381174FE0B258E3A23FA92F218F2024B95A89828DD840FF5E45FB477EBAD5D5
                                                                                                                                                                                                                                        SHA-512:C859E0F7943D6BEB3D22E44C816875FFE9DA2AE8B40259566AC41F5FD8F35CBE9730672F918665AA0887B981D24E9E1B45EC04BA267563147FA44B23F9583ED5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........&.s..1..(................~..G1.....#.6.....................#.6.. ............1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.9228864866085456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3YyVGP/lD3s7yfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+Ksc8:b8cymxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:EA2ADBE94C6A410FF280F175BE4D9DDD
                                                                                                                                                                                                                                        SHA1:0CBF8195F0B56A5C22FBF8B55580CB1C84044452
                                                                                                                                                                                                                                        SHA-256:1CD3D019488D6C746F4CD05D7DC1C87874A7766D060F9BF11974849584A645FE
                                                                                                                                                                                                                                        SHA-512:26723A52E63F36A035BCA96771DBC3757E23678F158931866E583B0DBA101B75FF8BF26E8662FE54D61789056B1E1756DDA05F418A4C35D5E90CCFCB8CD16EAC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ...W.$..1..(................sT.Z1...Kt..6...................Kt..6.. ........dh..1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.206650934253046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:kkFklPGkfllXlE/YXlzX/RDvcalXl+RAIdA31y+NW0y1YboOai2WelVJUTMVDXlN:kKYzNcalgRAOAUSW0P3PeXJUwh8lmi3Y
                                                                                                                                                                                                                                        MD5:F36D00AE3C308DCA07ABBA1EC6A624F6
                                                                                                                                                                                                                                        SHA1:7B9FC49041294A3EA2A7C95F51D05339806805B9
                                                                                                                                                                                                                                        SHA-256:A5585D5F76E24288887BB653D0FE0814EE42C126066896C923CBCE8A8FA57D9B
                                                                                                                                                                                                                                        SHA-512:9C43B4EC094E8C4186829D44C0AB3B65E42F25EC5E0F58C0D9C1754DC7FEC05EB95F4A84D2E6F085E60DAC194A6AA60E63CC952A69AE9EF93A7A81C029E6A4EA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .............1..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):4.005729277411719
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKnPlph1ts07yfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:nhzymxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:AD3005A0AA0166B1AD28513412F31988
                                                                                                                                                                                                                                        SHA1:4BEA0585FCED5EDB2DF6894E4267351852C14B5B
                                                                                                                                                                                                                                        SHA-256:7FF307E09617349AE17B7E12C1B67A22647A740A60A4777193862548EF57CBEF
                                                                                                                                                                                                                                        SHA-512:A563B0740247910FAA9ACB6EE5F8F9176ABBC9A776362E92D4168C49B20832498B43F54AC714AC8C409EFD103EBABF9834F8DF1C895196C5C7752B23BB5B3580
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(.....l..1..(...................D1......6......................6.. ........$...1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.0371508354751664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKALDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:ILYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:8CFD2EDA283013E76613D21F588E9532
                                                                                                                                                                                                                                        SHA1:7F1D0B6640671413D623D67E59BDA85D867B203B
                                                                                                                                                                                                                                        SHA-256:59D3B2406567DC8DC097ECB7C803764685E5A96ACB1B1175F295541081D508E5
                                                                                                                                                                                                                                        SHA-512:849170E883237209312163A97879E1152D30B09F86BE72BD5BA450781AE4A3B3E8E03A7ADAD15E8ADA583E71192B21B65DA1C670D7AEFA2DC483AE1AB5EE4DC1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l.....T3.1..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1499
                                                                                                                                                                                                                                        Entropy (8bit):5.341844552740347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNWE4KXSE4KlOU4mXE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKl
                                                                                                                                                                                                                                        MD5:D45F0B0387AA9450CC88125F2428C26D
                                                                                                                                                                                                                                        SHA1:8C77259A299BF2FB7A66EC695A3F0EFA5154DCB6
                                                                                                                                                                                                                                        SHA-256:6A6DF19288C76B1CEDD0F507F226705CDE6A69F3AB59B4FC13AF5C7B7F7D12A3
                                                                                                                                                                                                                                        SHA-512:5523AD8087ECE039FFFEF746F9B6175D6C2F2523C372FC813D21E695C18D986432D2B83C23D0E6CD6C42C97DFC8DECE3121BE8907D05337EA9B282D3E947EF4F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):226928
                                                                                                                                                                                                                                        Entropy (8bit):3.7835660461834295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:l7JI3SnAu+0967gddDd5W2kcf5SlCoAAOgKWa+EsQ8oZzNkxjJ27A3aXYrMq8J7U:lZXj7kJ7XWjpByksZrAFATbX
                                                                                                                                                                                                                                        MD5:D6F645249A13274A5E00D86193D30A97
                                                                                                                                                                                                                                        SHA1:3B63532D7B7B729C271A76C42FB0FB22FFBE64F2
                                                                                                                                                                                                                                        SHA-256:60C359346B318F4E6DCA2A69913C62EFBE96FC0F780DD80DAA95A061D6E7D4E9
                                                                                                                                                                                                                                        SHA-512:347FE6A4953B8E0E0C38AEBF2E9FA0AFC678350FBF7B7FF9BC925CBD3BA6D9A19C907E37C8FF30D02EDB000CB86B5C81567745B3EB2FDB2F010A7D281483E185
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.2.8.5.].:. .U.s.e.r. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.i.s.a.b.l.e.R.o.l.l.b.a.c.k.'. .i.s. .0.....M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.2.8.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.i.s.a.b.l.e.R.o.l.l.b.a.c.k.'. .i.s. .0.....M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.2.8.5.].:. .I.n.c.r.e.m.e.n.t.i.n.g. .c.o.u.n.t.e.r. .t.o. .d.i.s.a.b.l.e. .s.h.u.t.d.o.w.n... .C.o.u.n.t.e.r. .a.f.t.e.r. .i.n.c.r.e.m.e.n.t.:. .0.....M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.2.8.5.].:. .N.o.t.e.:. .1.:. .1.4.0.2. .2.:. .H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.I.n.s.t.a.l.l.e.r.\.R.o.l.l.b.a.c.k.\.S.c.r.i.p.t.s. .3.:. .2. .....M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.2.8.5.].:. .N.o.t.e.:. .1.:. .2.2.6.5. .2.:. . .3.:. .-.2.1.4.7.2.8.7.0.3.5. .....M.S.I. .(.s.). .(.B.0.:.4.0.). .[.0.7.:.5.1.:.5.5.:.3.0.1.].:. .N.o.t.

                                                                                                                                                                                                                                        C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-07-52-28.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602
                                                                                                                                                                                                                                        Entropy (8bit):5.719092578152453
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:H4/x2yi5erQbO1zygUcB8uBDi9s/zQl6MRdRH2nZyNuKW2p:H4Z90YUeEs/ccCdRHMZy5B
                                                                                                                                                                                                                                        MD5:6D1BC003A70B7147D51C2E197C054F83
                                                                                                                                                                                                                                        SHA1:270CBF19D9297E969B08308597B93EE54B97029E
                                                                                                                                                                                                                                        SHA-256:CEE110EE3D5381390017A30E7C8C15CE050ED951643B55448ACE0AED82527199
                                                                                                                                                                                                                                        SHA-512:3341C6B3C6FA6C44BE94AAADE75A25F309048EDCAB1AC1D122B926D221AD3A4A78506297BB97B586E747002A94EF6E0CE600A0C1F5213BDE6E0456C5BB0754E8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Installation]..INSTALLDIR=C:\Program Files (x86)\Splashtop\Splashtop Remote\..SUPPORTDIR=C:\Windows\TEMP\{B6A48C43-565C-41D9-BFCE-3E77C83A0690}\..ProductName=Splashtop Streamer..ProductVersion=3.7.2.3..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UpgradeCode={001F085C-058A-480B-AD56-2940B857C38D}..SRVMODE=0..EXTPATH=C:\Windows\TEMP\unpack\..ISUPGRADE=0..ONEUSERMODE=-1..AUTOUPGRADE=0..VTHIDSKIPOEM=1..SSUDONE=0..INSTVD=1..INSTDRV=0x81..VersionNT=603..STARTSRV=1..SRVFOLDER=Server..WOW64=1..WORKSTATION=1..TEMPFOLDER=C:\Windows\TEMP\..USERINFO=sec_opt=0,confirm_d=0,hidewindow=1..BASEDTYPE=1..

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_000_dotnet_runtime_6.0.35_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):566284
                                                                                                                                                                                                                                        Entropy (8bit):3.8522280513695444
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:81ysSPjZkJZgNgiJaRKw8CJyxbD8PbvdJzPNt/swoUOsellCH+DoL9RpB4MvIUj1:hjwGA
                                                                                                                                                                                                                                        MD5:ABDBB903778AA7FBF77ABDD58FCE7247
                                                                                                                                                                                                                                        SHA1:0A2500B5F591FBEF10DC8D4DDF894C7B2CF4D110
                                                                                                                                                                                                                                        SHA-256:50ADA3643B5CC36A52DDF4E89F957535F64C47D1D706223C6D36BBC2A8AC303B
                                                                                                                                                                                                                                        SHA-512:FDCEB84D1140BBEDEC8DDC2E7A8A6C00A4DA575276C6A6347CB34753F8F28CD92CC1A4CB93E1C1581EABF5FB32CC6610AB48434D1B988D5DBBFC2A068922C991
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_000_dotnet_runtime_6.0.35_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.2.:.1.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.B.4.F.8.9.3.3.-.D.B.8.6.-.4.4.E.D.-.8.B.B.F.-.1.0.E.0.8.3.8.F.7.A.0.9.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.5.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.0.:.E.8.). .[.0.7.:.5.2.:.1.6.:.8.0.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.0.:.E.8.). .[.0.7.:.5.2.:.1.6.:.8.0.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.0.:.E.8.). .[.0.7.:.5.2.:.1.6.:.8.0.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.C.7.9.F.6.E.E.C.-.3.A.2.B.-.4.8.7.D.-.A.3.B.6.-.E.D.F.4.0.5.7.B.4.E.4.B.}.v.4.8...1.4.0...2.1.4.5.8.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_001_dotnet_hostfxr_6.0.35_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99394
                                                                                                                                                                                                                                        Entropy (8bit):3.804395230797667
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Y9pZnlTKqbVD9UNXjY28LSkpB5uWZHPHNFntQ+/a0GOuQo0j/23MaNoKn:YZjj/23MaN3n
                                                                                                                                                                                                                                        MD5:0230CF23B07BCEB7E0B3DE21286D41D7
                                                                                                                                                                                                                                        SHA1:25621B852EB4D88B3955A8305EA07C6FDAAC0811
                                                                                                                                                                                                                                        SHA-256:8C089D37988F673EE099DF5587B5E3800C119DE4A6D2401E73A2BE4E3829D0FB
                                                                                                                                                                                                                                        SHA-512:D963C3C263D1ACBD3134243CACA190EA2DCEC1B28DD5AB5A69AAB42908A666977FD801F32FB67E994755B580AD8126E770A7F65B6BB7BFD98972EBC889222B5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_001_dotnet_hostfxr_6.0.35_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.2.:.2.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.B.4.F.8.9.3.3.-.D.B.8.6.-.4.4.E.D.-.8.B.B.F.-.1.0.E.0.8.3.8.F.7.A.0.9.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.5.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.0.:.A.4.). .[.0.7.:.5.2.:.2.6.:.1.6.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.0.:.A.4.). .[.0.7.:.5.2.:.2.6.:.1.6.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.0.:.A.4.). .[.0.7.:.5.2.:.2.6.:.1.6.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.E.9.1.F.8.A.C.1.-.4.9.1.7.-.4.5.5.E.-.A.A.C.A.-.B.4.0.B.1.9.3.C.7.A.6.2.}.v.4.8...1.4.0...2.1.4.5.8.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_002_dotnet_host_6.0.35_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (385), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):109710
                                                                                                                                                                                                                                        Entropy (8bit):3.7991923152085034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Pu0DnbU5Zs+bA0dNDoqLhcrLBqJSVCYgUiNeG5HUxsM4R2jcraHsJFliLEQZwn:PrXzjcraHsJFliLEQen
                                                                                                                                                                                                                                        MD5:1045B722B43547DA5B589EEDDDA9231C
                                                                                                                                                                                                                                        SHA1:E3F34A2022891B63CF6715B284061E87C41854A0
                                                                                                                                                                                                                                        SHA-256:52CEE66A4012CB48B9947BF9AB50736DDE7BB0746D879ABB8D93474CCD195B1D
                                                                                                                                                                                                                                        SHA-512:391A80D8A552C57C66EE48B3BE51B5A0D232F6538F0633FB60922623F007EF8EF40EF3A24770408A75A29D8BB7AC5E4970BCAF2748FDEC14D5E5F5FF4AC56750
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075210_002_dotnet_host_6.0.35_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.2.:.2.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.B.4.F.8.9.3.3.-.D.B.8.6.-.4.4.E.D.-.8.B.B.F.-.1.0.E.0.8.3.8.F.7.A.0.9.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.5.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.0.:.D.4.). .[.0.7.:.5.2.:.2.6.:.7.7.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.0.:.D.4.). .[.0.7.:.5.2.:.2.6.:.7.7.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.0.:.D.4.). .[.0.7.:.5.2.:.2.6.:.7.7.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.C.5.9.6.0.1.A.1.-.7.7.1.B.-.4.2.6.B.-.A.9.F.7.-.6.C.A.C.C.A.C.4.D.B.4.E.}.v.4.8...1.4.0...2.1.4.5.8.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\PreVer.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2988
                                                                                                                                                                                                                                        Entropy (8bit):3.6701482700553005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Vy3ESvzy3Elo70y3EWy3ESapy3Elo7Fxy3Ei89xy3EGy3El9Ey3EFy3EMy3EWLy+:Vy3ES7y3EG70y3EWy3ESMy3EG7Fxy3E5
                                                                                                                                                                                                                                        MD5:40AD8C41200E9D2F42779A9AB321D905
                                                                                                                                                                                                                                        SHA1:EA62512B538127F686065C59213B9AEAD6925577
                                                                                                                                                                                                                                        SHA-256:4D2A44BCF582546ECE3EB23A112422D0D79B2D69AAB65133458BEAB3BC916797
                                                                                                                                                                                                                                        SHA-512:583EB2F85EDF230B06DE0B69FC0D2853E67F514CE6EE02E160F49B3173B2856EE6130ACAEFCF942E199FFF66CD9A821E2EB337D25F88102A269C0D4145014900
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.5.9.2.:.7.5.8.8.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.2.1. . .S.e.t.K.e.y. .k.e.y.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .f.a.i.l. . .E.r.r.:.0.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.5.9.2.:.7.5.8.8.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.2.1. . .I.n.i.t. .R.e.g.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .h.a.s. .e.r.r.o.r.,. .b.e.c.a.u.s.e. .h.a.v.e. .n.o. .P.r.o.d.u.c.t.c.o.d.e. .o.r. .U.p.g.r.a.d.e. .c.o.d.e. . .E.r.r.:.0.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.5.9.2.:.7.5.8.8.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.2.1. . .N.o. .o.l.d. .v.e.r. .e.x.i.s.t. . .E.r.r.:.1.8.3.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.5.9.2.:.7.5.8.8.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.2.1. . .S.e.t.K.e.y. .k.e.y.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .f.o.r. .B.u.s.i.n.e.s.s. .f.a.i.l. . .E.r.r.:.1.8.3.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.5.9.2.:.7.5.8.8.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.2.1. . .I.n.i.t. .R.e.g.P.a.t.h.:.S.

                                                                                                                                                                                                                                        C:\Windows\Temp\PreVer.log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (523), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295552
                                                                                                                                                                                                                                        Entropy (8bit):3.8599072809733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:yger4pBUOucjGoH1NeFmBZRZBbOx7mHH5XUD5oz2+rNOTOFI/crtwdi5Q+AFwYfs:RjHNeZjDy
                                                                                                                                                                                                                                        MD5:AB72C43BFD0BD71A498FA1A651E371DA
                                                                                                                                                                                                                                        SHA1:EC8A8440F7088DA43492BFB8DD95E260638B10D7
                                                                                                                                                                                                                                        SHA-256:5229EF1ECABB2E1FABDE9AD65DE4CA5E78438497545AAB4EBB11A6EA67897052
                                                                                                                                                                                                                                        SHA-512:3B5BBAC8FDADC7D751BA684D840BB930DA39E21C6B8BFDFA2A1C5B23406B4F07650CB9F287F1D6F631DB8E0D6A3A8E7159B5DF52C244E7D90972D52577C47F91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.1.:.2.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.C.0.:.B.0.). .[.0.7.:.5.1.:.2.1.:.8.1.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.C.0.:.B.0.). .[.0.7.:.5.1.:.2.1.:.8.1.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.C.0.:.B.0.). .[.0.7.:.5.1.:.2.1.:.8.1.7.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.C.0.:.B.0.). .[.0.7.:.5.1.:.2.1.:.8.1.7.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):56904336
                                                                                                                                                                                                                                        Entropy (8bit):7.93750887921502
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:Shz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/iuvKk:44ObGVUacXfXHEX2YHiAg7v+Mdj/iuvf
                                                                                                                                                                                                                                        MD5:6AAE99153C786353C750BF8F5C9779B1
                                                                                                                                                                                                                                        SHA1:01BF4087FEE55709A4B87FDCDB9E367B6D0D885F
                                                                                                                                                                                                                                        SHA-256:E125E0D79F2EF28292EE325CEE883400A474E9552EA38E07DD20163CAAB98AC8
                                                                                                                                                                                                                                        SHA-512:7F21501B176EBB83E2518F3F77B8313726F192FC650FC987B4EE03630B5611B32A07849FFB961C42CFF9AAC705EC8B7EF69547801FC3412470F8395C895B9DE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L...y?.g............................./............@..................................Ee.............................................. ..(............"d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4932
                                                                                                                                                                                                                                        Entropy (8bit):3.6595363025096916
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:vQPtP60dP69P624P6NhP6NUk9XAHoNVGmXBNCBNa9XAAsBNVDZBNIBNl9XANWBN/:4lFes4pFmXmZNZslqzR8FbmD34kpZORz
                                                                                                                                                                                                                                        MD5:1A9EDE7E3A201FE7334F7A8F6E47CC89
                                                                                                                                                                                                                                        SHA1:A217FE19DEBD45C453B3B6664CE97F1380A00FE5
                                                                                                                                                                                                                                        SHA-256:81140996CC8E67A8ED41D62C1E9522173930F943C431FD52B50F9535D1844A15
                                                                                                                                                                                                                                        SHA-512:954856D076DAA35866CDEA49CF98419C4A6CBAF0BF52BAEEC5D94395F7162E1AD14124E499CC554B781DA703CA93791306D8060B3EA883F462D7BCF5C0ACA153
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.t.i.l.i.t.y.:.:.O.S.I.n.f.o.]. .O.S. .1.0...0.(.1.9.0.4.5.). . .x.6.4.:.1. .(.L.a.s.t.=.0.).....[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .N.a.m.e.:.C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r...e.x.e. .(.L.a.s.t.=.0.).....[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .S.i.g.n. .S.i.z.e.:.1.0.2.4.0. .(.L.a.s.t.=.0.).....[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .H.e.a.d.e.r. .o.f.f.s.e.t.:.4.3.4.1.7.6. .(.L.a.s.t.=.1.8.3.).....[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. . .F.r.e.e.S.p.a.c.e.:.1.8.0.9.2.5.4.9.7.3.4.4. .F.i.l.e.S.i.z.e.:.5.3.0.7.1.8.7.2. .(.L.a.s.t.=.0.).....[.6.7.3.2.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.1.:.1.6. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. .(.1./.5.).U.n.P.a.c.k.

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\PreVerCheck.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3383808
                                                                                                                                                                                                                                        Entropy (8bit):7.34393442596073
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:JcO5IMA1lvHRzotzo5YuCpvBgSq8/R58hgpwVHSSWz:rAXvRMtUiuCpJgSVR58hS1z
                                                                                                                                                                                                                                        MD5:A7CE785B6CD1C9657040CA9B6CBEED10
                                                                                                                                                                                                                                        SHA1:4B254FEE47CC8A9EAEC6CE7B714A2CE05B6ED8EC
                                                                                                                                                                                                                                        SHA-256:7BA6E401B8E78AB28E1CCF38D2CD05E12751F960661E159B4E35BC63D3544B4D
                                                                                                                                                                                                                                        SHA-512:39202F477017DAA9428A0C1BBE1DAAE30AA1B7B9F57B04832C44A7B28AF0144FF47EDFC1AD3D6A940AD1C49471DFE190077B594C337BACC115C552D91A24C2D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!}..!}..!}......*}.......}..(.;. }..1...6}..1...5}..1....}......7}......>}..!}...|..j...=}..j.@. }..!}(. }..j... }..Rich!}..........................PE..L....<.g...............).....r0..............0....@...........................3.......3...@..........................................P..@-/..........z3..(....3..'......p...........................(...@............0...............................text...H........................... ..`.rdata..n....0......................@..@.data...4....0......................@....rsrc...@-/..P..../..$..............@..@.reloc...'....3..(...R3.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\SRSocketCtrl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):984584
                                                                                                                                                                                                                                        Entropy (8bit):6.654713325570367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:gD2kCn6swdgSq3nUm08oS2R58vpo8Gp7EPVHHG0wIRCpDHFS:kvBgSq3nUD/R58vpofp4PVHHG07RgA
                                                                                                                                                                                                                                        MD5:8A17CA74AFC4FFF3A0AC2262DDD260A1
                                                                                                                                                                                                                                        SHA1:AC598B0297BF3CDF231D67A47BE942DA5173093B
                                                                                                                                                                                                                                        SHA-256:6EFCE3CC622589CE8A7B65C700692FB8EF9B97D50CDC828F0FC7E872C52CEBA9
                                                                                                                                                                                                                                        SHA-512:A8608961EF6936CD2EBAA6026B4074066A06F1CE90806C648B31E38E979F7BEB0F93A6E7BE33365A595D7DF6236E454241424DBC95EAC50867F2C78F89620BE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.....x...x...x.W.{...x.W.}.x..5|...x.W.|...x..3....x..3{...x..3|...x..3}.S.x.W.y...x...y..x.T2q.[.x.T2x...x.T2....x.......x.T2z...x.Rich..x.........PE..L....X.f...........!...).....&............... ...............................`......5.....@..........................6..T....6...........................(......T......p...................@.......@...@............ ..`............................text...h........................... ..`.rdata...)... ...*..................@..@.data....h...P.......0..............@....rsrc................L..............@..@.reloc..T............R..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\libcrypto-3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1336328
                                                                                                                                                                                                                                        Entropy (8bit):7.871375711510445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:B/fqcYYzqZYz970TN1T42xGWD9bujQdC5NNQIpL8575+HZ0tuC+:NHRzHuh1cQGWDRu08Q0L8J5+HZ0tuC+
                                                                                                                                                                                                                                        MD5:67998603B05979931B23D16655529E15
                                                                                                                                                                                                                                        SHA1:A7EE73C900A3F6EEDFDEFDBC3A2099D5185BAEE2
                                                                                                                                                                                                                                        SHA-256:6A08DBFBFBBDEFE80D9CFCDF8BC26C9183A4FFEE24EEE0FA62571381AD28E9D4
                                                                                                                                                                                                                                        SHA-512:1BB92EBA016C76CB446FF0152BB13EF6043E05A5E2C14B38080F6CC7DA5CC2E4CC25C88717222917C128DC08F9DA3937E1635FBB21BCC4ABF10B9344CBED2369
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.seb.seb.seb..fc.seb..`cxseb..ac.seb..fc.seb..ac.seb..`c.seb.sdbWseb..dc.seb.seb.seb..ac!qeb..ec.seb...b.seb..gc.sebRich.seb................PE..L......f...........!...).....0....(.`.:...(...:...............................<.....*.....@...........................:.|"...:.@.....:..............<...(....<.....................................D.:.............................................UPX0......(.............................UPX1..........(.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\libssl-3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342024
                                                                                                                                                                                                                                        Entropy (8bit):7.895641722792913
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1Y2e1wyPJHcHPL4W84QDcsKzJEraJJZ90eGBSemTEMNFrUCoSbL:LaJS0W84QopzJE2JJseGBugMNFhbL
                                                                                                                                                                                                                                        MD5:523BA7EBE060B6961722FF97089695B7
                                                                                                                                                                                                                                        SHA1:EFC5C558A78CD5DB8F3F0DC510FCFF8EE4876E77
                                                                                                                                                                                                                                        SHA-256:EA3795FB2D4CFE2FE70F616E3C5D9BD73DADEA39F8CC3A4BF81389F73352097A
                                                                                                                                                                                                                                        SHA-512:A2265D470FCBCC7E0E8AE88B44969768FF1216F76177EE4B9531FB09C980D9D4B1331D41E184BA1F0E66356B5530E7946F614CA7FCEB449B6C1228BC2233755D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.C..XC..XC..X...YI..X...Y...X...YW..X...YA..XSA.YU..XSA.YR..XSA.Y\..X.@.Y@..XC..XP..X.@.Yq..X.@.YB..X.@.XB..X.@.YB..XRichC..X........PE..L...g..f...........!...).....P......pd.......p............................................@.........................lt...>...s.......p...................(..$.......................................\f..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\run.bat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15
                                                                                                                                                                                                                                        Entropy (8bit):2.9995812306460645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1X6AZJ:1qAX
                                                                                                                                                                                                                                        MD5:56884732C1B8ABCBA0A31746DF533D97
                                                                                                                                                                                                                                        SHA1:662FA5002ACCB46261763B57F6A772E0A2AA5DDF
                                                                                                                                                                                                                                        SHA-256:A6212DAAA9A377B202A9436D80AB97BC9B0050DC7E174FCD35F255B34500CFAB
                                                                                                                                                                                                                                        SHA-512:8D5817660238082002FB42447D3B614C5099C8C691D4D091BE54BDDC5958A854628083BCCA191E6E45C85E70A8C6DCB5D2CBB4E2A3E5D255F5695139347E539C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PreVerCheck.exe

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\setup.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [REGPATH]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1528
                                                                                                                                                                                                                                        Entropy (8bit):5.6192017888227515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Zem6aTKgWT8SoBz09LAjUeiKbd8fusQK5oqAeEVhqY0+c8Eo/VoijXOR+7G2eHNl:gi+Noh0dBeNbMoqvEV0Y0+bjjXD7FwNl
                                                                                                                                                                                                                                        MD5:FC5DE1FEA9170B61439922A367A12478
                                                                                                                                                                                                                                        SHA1:96941D31908B0CB49ADEABBDFCC43508F2B99B36
                                                                                                                                                                                                                                        SHA-256:087BA98D89B1E1366D04A909AC09D109BB80A872B6D5C38E29568DBEE5B116F1
                                                                                                                                                                                                                                        SHA-512:6423294E13EA896CE12E8369101CDEAF6EB467CC60A2852E5145BE12CD8EE1189A8508A59FAF504BB4BC90593F451EC09291662E6BD43438BBCAC57F2B69613B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[CUSTOMSETTING]..REGEXTSECT=Splashtop Remote Server for Business..INSTDRV=0x81..BASEDTYPE=1....[REGPATH]..NUM=2..REGPATH_01=Splashtop Remote Server..REGPATH_02=Splashtop Remote Server for Business....;Common..[REGISTRY]..CSRSMode=1..confirm_d=1..EnableNvFBC=@NO:0..EnableADEM=@NO:0....;STE..[REGISTRY_Splashtop Remote Server for Business]..EnableAutoUpgrade=0..CloudUserAgent=@SX:business..EnableIQSV=0..USERTRACK_NAME=@SO:SCRS00....[PREVERCHECK]..PRODUCTID={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..PRODUCTNAME=Splashtop Streamer..SSUNAME=PROTOIRIS00..SSUPRODUCT=SVR..COMPATIBLE_NUM=4....[PREVERCHECKREG]..REGKEYPATH_NUM=2..REGKEYPATH_MAIN=0..REGKEYPATH_0=Splashtop Remote Server,1..REGKEYPATH_1=Splashtop Remote Server for Business,0....;ST2..[COMPATIBLE_0]..PRODUCTID={2EFEAD58-3311-4B2B-9D8A-8D663581D109}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..SSUNAME=PROTOIRIS00..FORCESTEMODE=0....;S4B Prodcut name with Splashtop Streamer for Busine

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\setup.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53071872
                                                                                                                                                                                                                                        Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                        MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                        SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                        SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                        SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                        C:\Windows\Temp\unpack\uninst.iss

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):988
                                                                                                                                                                                                                                        Entropy (8bit):5.127699291644866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:RjUcBbUcBIP+ijUcBIDQUcBIPEUcBIDv0zWatYh7+ifPcPvo7PZn+i4TjnPTvY:9UQUhGijU90UhMU9odOyifEIzZ+i4PPc
                                                                                                                                                                                                                                        MD5:5DBDCF8D475069C447F676D56327382B
                                                                                                                                                                                                                                        SHA1:08A0CA9150DCFA9D46370A340F000504D7772032
                                                                                                                                                                                                                                        SHA-256:EDAC85170F8B70F30E7F7080B34664B186B635520FFBC011CD9AB6257BAB78A8
                                                                                                                                                                                                                                        SHA-512:81CE6716D4F58CEA4194FA5FF42EE22C2D2686DD0A097DC384E797411587A2071A4070E3ECF5B7E9571FF5D29C2DFD0ED197B6890D70BDFECE376E7E0340CEE1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;Unistall..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-DlgOrder]..Dlg0={B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0..Count=2..Dlg1={B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0]..Result=6..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0....;Unistall 140..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-DlgOrder]..Dlg0={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0..Count=2..Dlg1={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-DlgOrder]..Dlg0={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0..Count=2..Dlg1={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\ISRT.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437800
                                                                                                                                                                                                                                        Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                        MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                        SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                        SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                        SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\IsConfig.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):571
                                                                                                                                                                                                                                        Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                        MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                        SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                        SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                        SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\String1033.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186494
                                                                                                                                                                                                                                        Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                        MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                        SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                        SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                        SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183856
                                                                                                                                                                                                                                        Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                        MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                        SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                        SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isres_0x0409.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1864872
                                                                                                                                                                                                                                        Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                        MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                        SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                        SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                        SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\setup.inx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):353888
                                                                                                                                                                                                                                        Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                        MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                        SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                        SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                        SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\ISRT.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437800
                                                                                                                                                                                                                                        Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                        MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                        SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                        SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                        SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\IsConfig.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):571
                                                                                                                                                                                                                                        Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                        MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                        SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                        SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                        SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\String1033.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186494
                                                                                                                                                                                                                                        Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                        MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                        SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                        SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                        SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\_isB0F3.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183856
                                                                                                                                                                                                                                        Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                        MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                        SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                        SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\_isres_0x0409.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1864872
                                                                                                                                                                                                                                        Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                        MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                        SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                        SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                        SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{98A0DA3D-3751-4282-8C86-6E890B4959C2}\setup.inx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):353888
                                                                                                                                                                                                                                        Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                        MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                        SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                        SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                        SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\ISRT.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437800
                                                                                                                                                                                                                                        Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                        MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                        SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                        SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                        SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\IsConfig.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):571
                                                                                                                                                                                                                                        Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                        MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                        SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                        SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                        SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\String1033.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186494
                                                                                                                                                                                                                                        Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                        MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                        SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                        SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                        SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\_is986.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183856
                                                                                                                                                                                                                                        Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                        MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                        SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                        SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\_isres_0x0409.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1864872
                                                                                                                                                                                                                                        Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                        MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                        SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                        SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                        SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{A1809E80-0C3A-4048-9FED-4F13961294D8}\setup.inx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):353888
                                                                                                                                                                                                                                        Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                        MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                        SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                        SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                        SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                        C:\Windows\Temp\{B6A48C43-565C-41D9-BFCE-3E77C83A0690}\Description.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2374
                                                                                                                                                                                                                                        Entropy (8bit):5.66619220204628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3j9wrwgwzfy2wzcibOi2wzitw+53WgnJWwC5LDwhFTtw7NC0:2cRzfyLz9bOiLzl+53WgndphFu7Nv
                                                                                                                                                                                                                                        MD5:BD29ACF2C6B763E5398C71D360958C60
                                                                                                                                                                                                                                        SHA1:86FD0E905AF254E6209EC6F1888E7EBAE248D977
                                                                                                                                                                                                                                        SHA-256:1B90C8121D1D91FF3CF07A56F5E5FBC12DCCF9B09AE90984E171CFBF1F9E69CE
                                                                                                                                                                                                                                        SHA-512:1042B3344BBB482CC8C31936D5368B9B81F5BDC5335F81BCE49367F09514C13D427A05E04137EBFE0F18C7F99D8CAF6E4742DC3A6881D88004251A49DA896EFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<Description Default="en">..<en Default="US">..<US>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. A computer with the Splashtop Remote Desktop Server can receive connections from any device running Splashtop Remote Client...</US>..</en>..<de Default="DE">..<DE>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Ein Computer mit dem Splashtop Remote Desktop Server kann Verbindungen von jedem Ger.t empfangen, auf dem der Splashtop Remote Client l.uft...</DE>..</de>..<es Default="ES">..<ES>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Un equipo con Splashtop Remote Desktop Server puede recibir conexiones desde cualquier dispositivo que est. ejecutando Splashtop Remote Client...</ES>..</es>..<fr Default="FR">..<FR>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Un ordinateur avec Splashtop Remote Desktop Server peut recevoir des co

                                                                                                                                                                                                                                        C:\Windows\Temp\{B6A48C43-565C-41D9-BFCE-3E77C83A0690}\setup.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [REGPATH]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1493
                                                                                                                                                                                                                                        Entropy (8bit):5.601665610962739
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Zem6aTKNVASoBz09LAjUeiKbd8fusQK5oqAeEVhqY0+c8Eo/VoijXOR+7G2eHNhD:gPoh0dBeNbMoqvEV0Y0+bjjXD7FwNUQ
                                                                                                                                                                                                                                        MD5:5A9302AEA54E2C4341F2254E8E914271
                                                                                                                                                                                                                                        SHA1:DBD0D914EBAEF52B16E17092CC7DCCC31517797F
                                                                                                                                                                                                                                        SHA-256:F68C1CDA9475717430B6A3F0656085F8FB72CD3CAA66D048DE84F17CA7BE582E
                                                                                                                                                                                                                                        SHA-512:11552F3B66510AE76F715DB99F2A75A9D891DFA490E417C1230BBDFEDF348717FB143E773ABFA42BC3A109CCE6B3C1EBDE7ADA5E2103DB17D2B194398F6EE272
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[CUSTOMSETTING]..REGEXTSECT=Splashtop Remote Server for Business..INSTDRV=0x81..BASEDTYPE=1....[REGPATH]..NUM=2..REGPATH_01=Splashtop Remote Server..REGPATH_02=Splashtop Remote Server for Business....;Common..[REGISTRY]..CSRSMode=1..EnableNvFBC=0....;STE..[REGISTRY_Splashtop Remote Server for Business]..EnableAutoUpgrade=0..CloudUserAgent=@SX:business..EnableIQSV=0..USERTRACK_NAME=@SO:SCRS00....[PREVERCHECK]..PRODUCTID={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..PRODUCTNAME=Splashtop Streamer..SSUNAME=PROTOIRIS00..SSUPRODUCT=SVR..COMPATIBLE_NUM=4....[PREVERCHECKREG]..REGKEYPATH_NUM=2..REGKEYPATH_MAIN=0..REGKEYPATH_0=Splashtop Remote Server,1..REGKEYPATH_1=Splashtop Remote Server for Business,0....;ST2..[COMPATIBLE_0]..PRODUCTID={2EFEAD58-3311-4B2B-9D8A-8D663581D109}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..SSUNAME=PROTOIRIS00..FORCESTEMODE=0....;S4B Prodcut name with Splashtop Streamer for Business..[COMPATIBLE_1]..PRODUCTID={73A1

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\ISRT.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437800
                                                                                                                                                                                                                                        Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                        MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                        SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                        SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                        SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\IsConfig.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):571
                                                                                                                                                                                                                                        Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                        MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                        SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                        SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                        SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\String1033.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186494
                                                                                                                                                                                                                                        Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                        MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                        SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                        SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                        SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\_isEEE7.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183856
                                                                                                                                                                                                                                        Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                        MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                        SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                        SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\_isres_0x0409.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1864872
                                                                                                                                                                                                                                        Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                        MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                        SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                        SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                        SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{DDB82D01-A84C-48ED-8A5C-6B19CF655695}\setup.inx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):353888
                                                                                                                                                                                                                                        Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                        MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                        SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                        SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                        SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\ISRT.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437800
                                                                                                                                                                                                                                        Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                        MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                        SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                        SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                        SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\IsConfig.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):571
                                                                                                                                                                                                                                        Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                        MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                        SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                        SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                        SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\String1033.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186494
                                                                                                                                                                                                                                        Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                        MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                        SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                        SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                        SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\_is3F8.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183856
                                                                                                                                                                                                                                        Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                        MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                        SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                        SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\_isres_0x0409.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1864872
                                                                                                                                                                                                                                        Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                        MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                        SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                        SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                        SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\{F9ECB42B-6BD6-4CC8-99DC-761D336E0CD8}\setup.inx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):353888
                                                                                                                                                                                                                                        Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                        MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                        SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                        SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                        SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF010EB22A91E7F034.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2505501650377584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:WgduksPveFXJpT5xOmqISoedGPdGfo2rnrStedGPdGRub1n:fdrRT2zIIox
                                                                                                                                                                                                                                        MD5:8A385FD22B1F660A30FCF89BFC52212E
                                                                                                                                                                                                                                        SHA1:54CD7B994237288A2EE60B48852884C3C34F9E6F
                                                                                                                                                                                                                                        SHA-256:65C7426E52DDA78B747F2A5832C09989FBD66380E7A254D30F749F34B66519AA
                                                                                                                                                                                                                                        SHA-512:DE5F2A5443669302A68D37374B4A88E5F0F7F03B7AEBE16D04173557FA637FB92336F04042734BA468ACA717A9FE9A027F4C5C875DA5C08C96E020575A0310C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF010EB22A91E7F034.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF026EBC3EB2941CD9.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2771553331671153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:SOLuHBrh8FXzZT5bcdXynlUSjndddwEqdGUDjybQ6SsndddSE8ly:VLiUnTV8CnlUf3DONaE
                                                                                                                                                                                                                                        MD5:AF65B84B44339A2A5F223FFBA17CF5FA
                                                                                                                                                                                                                                        SHA1:06A4BEB82FBF13F250E850F3EA4BCF379694AE50
                                                                                                                                                                                                                                        SHA-256:259D2DA63031B4119EFB4FB136B50CBCB23A71976BCFBB7611A6DC78B721D409
                                                                                                                                                                                                                                        SHA-512:5AA2C8FCEFA6FF5BA1D4604C47F95057FB5D78DA51283E9E5993121BB634813B43FE213564F716BE1D39696D3E3F283E1E7515A44BA5D5399D929DAEFE210D4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF026EBC3EB2941CD9.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF037596D4359F43F1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0490B689FA32AEF4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0002712838199117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:1MMXukJveFXJfT5pfDwoqISoedvPdvbCnuhnq9rnK/dStedvPdvxubS:/XaHTnfD6IciuBuLO4
                                                                                                                                                                                                                                        MD5:28C23B22024E9233559490B2F0444D53
                                                                                                                                                                                                                                        SHA1:16C98EB3F8CA7F2769C9E0ACD183154761AFCB31
                                                                                                                                                                                                                                        SHA-256:DBF27D899CCC95D9FE1632B59A2326ADB24CE5BFCA7983F190A3C38D687D20A0
                                                                                                                                                                                                                                        SHA-512:FD16346F33AB3990BD2CDE1D332C0A4F00BE2AABFA81530A9EB592605E949E88894CEE5FEAA459F7674E516AE0A1D856D9F30104D4CE2019A1E2F161C378A074
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0490B689FA32AEF4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF07348613B0C561AE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.568815821219557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:M8PhFuRc06WXz+jT5ddm3qASjnd/EqdGUDjybQSSsnd/E8Q:jhF1jjThm3qAI3DONPQ
                                                                                                                                                                                                                                        MD5:A9818B54F5451C7FBFE91052FE058C48
                                                                                                                                                                                                                                        SHA1:08EE91F919D031F8B33A0ECEA5AEAC7E33925A6C
                                                                                                                                                                                                                                        SHA-256:64EA87FDFFDE0DB18D080592CC834B77D9DAB5761B32D86738E2EC83D16D4BC0
                                                                                                                                                                                                                                        SHA-512:08152018D48B59A8C513402FACC6A6C4EBE607810590DD983144E4750561D1663696DF3BD2E98AB6CAF8A98B514E49D9F53ADFBB40816F6E426AE61A4FBCA1D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF07348613B0C561AE.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0794723A6FF8527B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.2999862255657648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JYO38PhMuh3iFip1GE2yza2t4KAQBHobagUMClXte6RVG+oAWS+NRxMXwZymiL:X8PhMuRc06WXOCBT5SXAWS68XwZy9
                                                                                                                                                                                                                                        MD5:A07BC9FA65871CBBB5C7CB92DE396021
                                                                                                                                                                                                                                        SHA1:7AA48FB81E953B7DFDF52E1C71DA5FB3EB73BD7C
                                                                                                                                                                                                                                        SHA-256:224F3004C8AF8006F89B20EF4D25206E6C7FD167623B7052D5E47838E162C8EF
                                                                                                                                                                                                                                        SHA-512:A892BC77341506558C74DE54813370C1F8471ECECFECB59CB45F08AED64E3FA0ACCAF0ABD4F61456F812270668859BDF6604E60B6D75FB1667DCC1DDFE84C925
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0CF88437D50EC22A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0DD967F14423A5B3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0EAA60CFCE617D4B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF11E7BCB1741A0DCE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07164539385886445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOmgy3LtgVky6lit/:2F0i8n0itFzDHFqit/
                                                                                                                                                                                                                                        MD5:CDD2CC620B96FD7A2185F2C1091D7496
                                                                                                                                                                                                                                        SHA1:59DA2E21FE000C53BC5D55A2CE839394B86A1A98
                                                                                                                                                                                                                                        SHA-256:38CF24D757B2CE82D154FF117406C03A32345F3B7A676D271861063BC0957042
                                                                                                                                                                                                                                        SHA-512:F3EE77F8FBAD564B15DD846D0E09BB756293CD3E1156B4C817D3EEB5E28274D3FC8C5314EEE3BDE3581569BB8FEFFE603DFB2A33BFA761FB8DA65EC75805F0BC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF148DD3D6F2536A0A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF14A5FA179E65F7D1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5621333139288809
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:48PhluRc06WXJ0FT5xOmqISoedGPdGfo2rnrStedGPdGRub1n:Hhl13FT2zIIox
                                                                                                                                                                                                                                        MD5:FA6F1B56AC40A639ECDDE5059D0DE369
                                                                                                                                                                                                                                        SHA1:6C2E8CDBE3AD78A26E7179CCBDE47AA874441F8E
                                                                                                                                                                                                                                        SHA-256:63377EA35A2C444791BE57FD90D566873D2DCB817D45E4F23FF242E53EA13048
                                                                                                                                                                                                                                        SHA-512:99A703F55394E70E71043555AD06594D5064439445F8BB96FCFBE1F51BF7248ABEB6F483CF047A59EB1BF6840D954091D71971FB0018E9A2ED964E259C2E0443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF14A5FA179E65F7D1.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF18FC13D9683BBED2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229728603723284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:HVUuKJveFXJfT5lD9qISoedGPdGTFaStedGPdGTn:1U4HTjDgI9D
                                                                                                                                                                                                                                        MD5:A5524086E7DDBF71D7F6C6DF043D840C
                                                                                                                                                                                                                                        SHA1:B3C292EB5B50CBAC8802E382D09003A005EF64FC
                                                                                                                                                                                                                                        SHA-256:9E8CC6060057747D37A9298AA0F3EEA9DA59D0584CB887CCE397A712035C9E50
                                                                                                                                                                                                                                        SHA-512:004DB708647182AA27E33AF535CBDF0D3B87ED3FCAA2B00124AC15A9B28E5119B2B610D92ADB8FCA7F1CFB25F71A12C91EB970C744703E01C09E83CADCF543CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF18FC13D9683BBED2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1A3A846971E8BB67.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147456
                                                                                                                                                                                                                                        Entropy (8bit):3.094912832298669
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YLeRObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFM0ARObDBZ84vjMgtjDDtgVPpSu7b5G:oeoDkfsKPpSuyFAoDkfsKPpSuy
                                                                                                                                                                                                                                        MD5:2C41EF42C8ED816FA4B851D9D9D408A3
                                                                                                                                                                                                                                        SHA1:C3D83D8A55B62DEFA1AA3F0D40E67BBA91931E52
                                                                                                                                                                                                                                        SHA-256:41F31A6B1A6C90E04B5C96E3C2ABDB6F21845E4F0911E0498BCD11568819CE7A
                                                                                                                                                                                                                                        SHA-512:9409D90CC5FC2904D6E16B96A586ED15BBC1129178AD2B09299F9ED12F6D89C4D58493133A7ED9DC45082357F5CEC75621F36D0A306E6768F830024283A9E955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1A54C6D7C78B4357.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1C40E6A27379684E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1C5F4B9C18F6AFC0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1D23EFDA342B6F6C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2073CE39DF7B5067.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15704345432031003
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:KyuBEuSsndddPSjndddwEqdGUDjybQHlidXy:Puv9f3DOGleC
                                                                                                                                                                                                                                        MD5:A39BA51DC4DF3D77F0D67992BE05C360
                                                                                                                                                                                                                                        SHA1:CEECF8CD0D2F3AFEFAF8B475EE3A644F3714CACD
                                                                                                                                                                                                                                        SHA-256:31B4F1CC51E7C4BF288831A1A389BCCDA3BD475C57DCA6F6B6F1BA2FDE5431C5
                                                                                                                                                                                                                                        SHA-512:DDCD76D9CB99E957255D6E7C3A3403CA6B6936D101B656B687FCA93E6211ADC6D8C825D798C3ED723274870053DF3B41F647E7AE34CD4EFB2AC7192353E77227
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2073CE39DF7B5067.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF25F4A80A34F5495F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147456
                                                                                                                                                                                                                                        Entropy (8bit):3.094912832298669
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YLeRObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFM0ARObDBZ84vjMgtjDDtgVPpSu7b5G:oeoDkfsKPpSuyFAoDkfsKPpSuy
                                                                                                                                                                                                                                        MD5:2C41EF42C8ED816FA4B851D9D9D408A3
                                                                                                                                                                                                                                        SHA1:C3D83D8A55B62DEFA1AA3F0D40E67BBA91931E52
                                                                                                                                                                                                                                        SHA-256:41F31A6B1A6C90E04B5C96E3C2ABDB6F21845E4F0911E0498BCD11568819CE7A
                                                                                                                                                                                                                                        SHA-512:9409D90CC5FC2904D6E16B96A586ED15BBC1129178AD2B09299F9ED12F6D89C4D58493133A7ED9DC45082357F5CEC75621F36D0A306E6768F830024283A9E955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF26378A7BA606BAFD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2771553331671153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:SOLuHBrh8FXzZT5bcdXynlUSjndddwEqdGUDjybQ6SsndddSE8ly:VLiUnTV8CnlUf3DONaE
                                                                                                                                                                                                                                        MD5:AF65B84B44339A2A5F223FFBA17CF5FA
                                                                                                                                                                                                                                        SHA1:06A4BEB82FBF13F250E850F3EA4BCF379694AE50
                                                                                                                                                                                                                                        SHA-256:259D2DA63031B4119EFB4FB136B50CBCB23A71976BCFBB7611A6DC78B721D409
                                                                                                                                                                                                                                        SHA-512:5AA2C8FCEFA6FF5BA1D4604C47F95057FB5D78DA51283E9E5993121BB634813B43FE213564F716BE1D39696D3E3F283E1E7515A44BA5D5399D929DAEFE210D4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF26378A7BA606BAFD.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2C9D2CCA54EDF440.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2E32154272298DF2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07928728571212156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO/LfNzGelhqLIUSVky6l/X:2F0i8n0itFzDHFjfIaqR/X
                                                                                                                                                                                                                                        MD5:EA6B4F3F0C52181E2913C44F1E8F4FC1
                                                                                                                                                                                                                                        SHA1:730E207F58450786A296AD2820F2821C977E18FA
                                                                                                                                                                                                                                        SHA-256:4443883A6AA19E21D84A287DB3BA806503985BC5501AC985751F9834BBF06C1E
                                                                                                                                                                                                                                        SHA-512:F6FA55D6BB02E5D55671D0DF89D6852CCE2FDE965028F1CA2BA78703609EE3F2C80A92DF74D61DCF486FFF920EE80208F68E087FF8E1F2711DDAB637E7FB1AC9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF313360291D7C6B76.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6030511717708045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:V8PhTuRc06WXzAjT55ddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:4hT11jTtdWc93DONg
                                                                                                                                                                                                                                        MD5:4DA9A778EE6B0728A3C1B89FC4A645F6
                                                                                                                                                                                                                                        SHA1:3C20546707F63263DD5B48DB78C2FDB81D042FE7
                                                                                                                                                                                                                                        SHA-256:EADF7D1283E89DBF1DB25A68B8181170D32ABE065BC0ED65CB9F4A4223A48EBC
                                                                                                                                                                                                                                        SHA-512:89B91359A7AC58B1F0F0250BB6F645C02BB9F17A6D15D8EE7E4B1030D70DECBBAA3D6C41D54AE34F228E2C4B11C6E6269F3CFE798F6C01A5C5B54CDA3ABECCA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF313360291D7C6B76.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3204F456716B36CD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229728603723284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:HVUuKJveFXJfT5lD9qISoedGPdGTFaStedGPdGTn:1U4HTjDgI9D
                                                                                                                                                                                                                                        MD5:A5524086E7DDBF71D7F6C6DF043D840C
                                                                                                                                                                                                                                        SHA1:B3C292EB5B50CBAC8802E382D09003A005EF64FC
                                                                                                                                                                                                                                        SHA-256:9E8CC6060057747D37A9298AA0F3EEA9DA59D0584CB887CCE397A712035C9E50
                                                                                                                                                                                                                                        SHA-512:004DB708647182AA27E33AF535CBDF0D3B87ED3FCAA2B00124AC15A9B28E5119B2B610D92ADB8FCA7F1CFB25F71A12C91EB970C744703E01C09E83CADCF543CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3204F456716B36CD.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF38A229A9EE1DFA8A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3CB1399B3D4C602A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0002712838199117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:1MMXukJveFXJfT5pfDwoqISoedvPdvbCnuhnq9rnK/dStedvPdvxubS:/XaHTnfD6IciuBuLO4
                                                                                                                                                                                                                                        MD5:28C23B22024E9233559490B2F0444D53
                                                                                                                                                                                                                                        SHA1:16C98EB3F8CA7F2769C9E0ACD183154761AFCB31
                                                                                                                                                                                                                                        SHA-256:DBF27D899CCC95D9FE1632B59A2326ADB24CE5BFCA7983F190A3C38D687D20A0
                                                                                                                                                                                                                                        SHA-512:FD16346F33AB3990BD2CDE1D332C0A4F00BE2AABFA81530A9EB592605E949E88894CEE5FEAA459F7674E516AE0A1D856D9F30104D4CE2019A1E2F161C378A074
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3CB1399B3D4C602A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3DB58DA369B209A5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF41A5E0429566F085.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.600329408407042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:x8PhTuRc06WXz+jT5SdXynlUSjndddwEqdGUDjybQ6SsndddSE8ly:MhT1jjTMCnlUf3DONaE
                                                                                                                                                                                                                                        MD5:0A08F9B5AD6FCA584A12DB950AEFD493
                                                                                                                                                                                                                                        SHA1:DC6B2F359F895FEDB610C68BA90F25BE78DCB206
                                                                                                                                                                                                                                        SHA-256:22741F087659D2DB74B63F0ADE067AF6550C94E127C7BED83177361F3B813BCE
                                                                                                                                                                                                                                        SHA-512:B6C9DC8C2F36DD7217B0A042ED100E8ECA93CF2BF957881AB0A20FAE3F16A2F46E835A0D0739606A9EE60B2AB1BF8DC2F9768CDA5E3705D9E965881E507096AC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF41A5E0429566F085.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF41A5E0429566F085.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF445B28B2ACCEF43F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.2999862255657648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JYO38PhMuh3iFip1GE2yza2t4KAQBHobagUMClXte6RVG+oAWS+NRxMXwZymiL:X8PhMuRc06WXOCBT5SXAWS68XwZy9
                                                                                                                                                                                                                                        MD5:A07BC9FA65871CBBB5C7CB92DE396021
                                                                                                                                                                                                                                        SHA1:7AA48FB81E953B7DFDF52E1C71DA5FB3EB73BD7C
                                                                                                                                                                                                                                        SHA-256:224F3004C8AF8006F89B20EF4D25206E6C7FD167623B7052D5E47838E162C8EF
                                                                                                                                                                                                                                        SHA-512:A892BC77341506558C74DE54813370C1F8471ECECFECB59CB45F08AED64E3FA0ACCAF0ABD4F61456F812270668859BDF6604E60B6D75FB1667DCC1DDFE84C925
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF453E2092A3D8365F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6030511717708045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:V8PhTuRc06WXzAjT55ddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:4hT11jTtdWc93DONg
                                                                                                                                                                                                                                        MD5:4DA9A778EE6B0728A3C1B89FC4A645F6
                                                                                                                                                                                                                                        SHA1:3C20546707F63263DD5B48DB78C2FDB81D042FE7
                                                                                                                                                                                                                                        SHA-256:EADF7D1283E89DBF1DB25A68B8181170D32ABE065BC0ED65CB9F4A4223A48EBC
                                                                                                                                                                                                                                        SHA-512:89B91359A7AC58B1F0F0250BB6F645C02BB9F17A6D15D8EE7E4B1030D70DECBBAA3D6C41D54AE34F228E2C4B11C6E6269F3CFE798F6C01A5C5B54CDA3ABECCA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF453E2092A3D8365F.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF49E5FD496892DFC7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF53E8C05E4C971931.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF55C6163897AD8A5D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147456
                                                                                                                                                                                                                                        Entropy (8bit):3.094912832298669
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YLeRObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFM0ARObDBZ84vjMgtjDDtgVPpSu7b5G:oeoDkfsKPpSuyFAoDkfsKPpSuy
                                                                                                                                                                                                                                        MD5:2C41EF42C8ED816FA4B851D9D9D408A3
                                                                                                                                                                                                                                        SHA1:C3D83D8A55B62DEFA1AA3F0D40E67BBA91931E52
                                                                                                                                                                                                                                        SHA-256:41F31A6B1A6C90E04B5C96E3C2ABDB6F21845E4F0911E0498BCD11568819CE7A
                                                                                                                                                                                                                                        SHA-512:9409D90CC5FC2904D6E16B96A586ED15BBC1129178AD2B09299F9ED12F6D89C4D58493133A7ED9DC45082357F5CEC75621F36D0A306E6768F830024283A9E955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5A4EEA896101CA56.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5AA26B837347CAF4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14178910835690872
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfo2rn0S:icyLIF
                                                                                                                                                                                                                                        MD5:6661A7EC91003B493C14D9F589772DEF
                                                                                                                                                                                                                                        SHA1:D7F982AB6E09A96B3B4CF0DBF663965BBEA7669C
                                                                                                                                                                                                                                        SHA-256:2048991ABC8095A6420A4D72C2C162F8DD2A8E1BF6CD74E6CC6647EB4B26BC78
                                                                                                                                                                                                                                        SHA-512:E63200BE8E18BF213BD887C8BCA389CA743B1020C744D28340F19D57F4BCD4450A1D63F072CB4E8E238E41B7AFA4F0757BFED6E119C84C8FFCCFDC2FE2080809
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5AA26B837347CAF4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5C1836872985610E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5CD6762C57437B1A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147456
                                                                                                                                                                                                                                        Entropy (8bit):3.094912832298669
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YLeRObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFM0ARObDBZ84vjMgtjDDtgVPpSu7b5G:oeoDkfsKPpSuyFAoDkfsKPpSuy
                                                                                                                                                                                                                                        MD5:2C41EF42C8ED816FA4B851D9D9D408A3
                                                                                                                                                                                                                                        SHA1:C3D83D8A55B62DEFA1AA3F0D40E67BBA91931E52
                                                                                                                                                                                                                                        SHA-256:41F31A6B1A6C90E04B5C96E3C2ABDB6F21845E4F0911E0498BCD11568819CE7A
                                                                                                                                                                                                                                        SHA-512:9409D90CC5FC2904D6E16B96A586ED15BBC1129178AD2B09299F9ED12F6D89C4D58493133A7ED9DC45082357F5CEC75621F36D0A306E6768F830024283A9E955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5D2CF1C6D477C68F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5DF98EB0091D4213.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6724759D82C37996.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6C0291E02F452261.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2771553331671153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:SOLuHBrh8FXzZT5bcdXynlUSjndddwEqdGUDjybQ6SsndddSE8ly:VLiUnTV8CnlUf3DONaE
                                                                                                                                                                                                                                        MD5:AF65B84B44339A2A5F223FFBA17CF5FA
                                                                                                                                                                                                                                        SHA1:06A4BEB82FBF13F250E850F3EA4BCF379694AE50
                                                                                                                                                                                                                                        SHA-256:259D2DA63031B4119EFB4FB136B50CBCB23A71976BCFBB7611A6DC78B721D409
                                                                                                                                                                                                                                        SHA-512:5AA2C8FCEFA6FF5BA1D4604C47F95057FB5D78DA51283E9E5993121BB634813B43FE213564F716BE1D39696D3E3F283E1E7515A44BA5D5399D929DAEFE210D4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6C0291E02F452261.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF706722BCB30CA3CA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.568815821219557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:M8PhFuRc06WXz+jT5ddm3qASjnd/EqdGUDjybQSSsnd/E8Q:jhF1jjThm3qAI3DONPQ
                                                                                                                                                                                                                                        MD5:A9818B54F5451C7FBFE91052FE058C48
                                                                                                                                                                                                                                        SHA1:08EE91F919D031F8B33A0ECEA5AEAC7E33925A6C
                                                                                                                                                                                                                                        SHA-256:64EA87FDFFDE0DB18D080592CC834B77D9DAB5761B32D86738E2EC83D16D4BC0
                                                                                                                                                                                                                                        SHA-512:08152018D48B59A8C513402FACC6A6C4EBE607810590DD983144E4750561D1663696DF3BD2E98AB6CAF8A98B514E49D9F53ADFBB40816F6E426AE61A4FBCA1D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF706722BCB30CA3CA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF706722BCB30CA3CA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7BB8E03198A11EB7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7DB972227FE90FC7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2791669561138337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eQLunBrh8FXzjT5bnddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:XL/NTVddWc93DONg
                                                                                                                                                                                                                                        MD5:6FB0C164564EA76D3E8DE5B4864866A7
                                                                                                                                                                                                                                        SHA1:B791A3CE3FF59E447E81B817034A92E33EC8504D
                                                                                                                                                                                                                                        SHA-256:346798B4A54E98A9C4E75CCDF62EF66B3F4CE5E03A155208C78ECB7E3B8D99E6
                                                                                                                                                                                                                                        SHA-512:56554796EC67BCA3E0FF32828FD7589BD1E1AB99A58A18EDD347B561D67DD67C98C824E5BF3EBA37ED215D97C1609CD6B030E2E4562BEC232A1F560236135C0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7DB972227FE90FC7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7EA9ACF5F9FC6CAE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14452707524911415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:8+FRpFBEuipVGndYipV5nd/EVgdGSLMCltMClMbgNlGkQbQkW8+ydMClh+FvFSrK:979EuSsndYSjnd/EqdGUDjybQs9dm3
                                                                                                                                                                                                                                        MD5:4B115EF846DBEC407A309AD72C1BC5B1
                                                                                                                                                                                                                                        SHA1:247696E4C7F72CAE5CAB0E730B8F1B4D25394381
                                                                                                                                                                                                                                        SHA-256:A3F72256B3295D841E8B03FA8EC5776B5C270600422D4F321716C35E01389BBF
                                                                                                                                                                                                                                        SHA-512:A2487E1E9DD5A538931FD9028EB75BB8781B22B575DC5E3B1148481317B913F319A6AA97C4599EE7F5BEC35390B4D410F8437C83AB245E27D158BC72F51AA532
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7EA9ACF5F9FC6CAE.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF86A68179485913BB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2203633408784054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:n8PhcuRc06WXJEjT55D9qISoedGPdGTFaStedGPdGTn:mhc1HjTnDgI9D
                                                                                                                                                                                                                                        MD5:D55A476ACAC2CC32A8882A80E31CD5A1
                                                                                                                                                                                                                                        SHA1:2EACFB7BB6CF0376A1A4F97FE1871EAFE080B2F6
                                                                                                                                                                                                                                        SHA-256:1907976B2E23969497B4F0952384BA531407C6970B2F894D5A65F71AD74DF4E6
                                                                                                                                                                                                                                        SHA-512:39BA3E80BF0E772FBE8FB2A6C24A12ACF01BEB2A19346E37985ACA608556FEB80942A65B47498B9EA1EA9A133883B11D9D2E0CA855DAB20432216827BF505AAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF86A68179485913BB.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8A84F97802C3A2A7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15799635819488775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:KlEuSsndd4dASjndd4d/EqdGUDjybQTaDdd:KD/93DOvxd
                                                                                                                                                                                                                                        MD5:8787600185FBA3363B31482E3D797173
                                                                                                                                                                                                                                        SHA1:8A6DA34FB4D7F1C4E42DEB55415D1F845A731B63
                                                                                                                                                                                                                                        SHA-256:1077570F9929B3A57EC8498B936A02A6A095549CF22E715FD35639F4771702F0
                                                                                                                                                                                                                                        SHA-512:C2ABB4D583CD1665412E67AC5B7BDF5C4EEE2ED81EA29D9AC14BAED83C7C2C6599ECC924C033A5DD8CB972AA87DB50B9FB535DE26382DC77AB66F32134DBEABF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8A84F97802C3A2A7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8CEB021710F2C2B3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2791669561138337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eQLunBrh8FXzjT5bnddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:XL/NTVddWc93DONg
                                                                                                                                                                                                                                        MD5:6FB0C164564EA76D3E8DE5B4864866A7
                                                                                                                                                                                                                                        SHA1:B791A3CE3FF59E447E81B817034A92E33EC8504D
                                                                                                                                                                                                                                        SHA-256:346798B4A54E98A9C4E75CCDF62EF66B3F4CE5E03A155208C78ECB7E3B8D99E6
                                                                                                                                                                                                                                        SHA-512:56554796EC67BCA3E0FF32828FD7589BD1E1AB99A58A18EDD347B561D67DD67C98C824E5BF3EBA37ED215D97C1609CD6B030E2E4562BEC232A1F560236135C0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8CEB021710F2C2B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8EA39299CE99309C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF90C17B8167754151.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.619210339555881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:H8PhPuRc06WXJEjT5JDwoqISoedvPdvbCnuhnq9rnK/dStedvPdvxubS:GhP1HjT3D6IciuBuLO4
                                                                                                                                                                                                                                        MD5:36A02D9783A4E1B2F5DA0615B8B44F9A
                                                                                                                                                                                                                                        SHA1:AF7A741867B66FC33C5175D6E9F3D7665E43B0C4
                                                                                                                                                                                                                                        SHA-256:2466AFC24B239C843CEBAA0320FA6933F809F465624AC2DCDA991B0EEE516656
                                                                                                                                                                                                                                        SHA-512:925CC071A2025F3444A1296A37EE7A8C4558F580E3B9A913FED6C743AFB8754B2BD4CC6EB25FBF408A2D6128A3B1354CBA8EA3E7BA49099856F39A5A9BB80471
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF90C17B8167754151.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF94FB9A9BE3D847EB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.06933201620126776
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOIs5NIHyVky6l3X:2F0i8n0itFzDHFn5M3X
                                                                                                                                                                                                                                        MD5:438749DCD9BBCBD624A65EB931FA6B22
                                                                                                                                                                                                                                        SHA1:2E2C214F75C4B246EB5D3234E68B0BFBACDDEB83
                                                                                                                                                                                                                                        SHA-256:E093D36BADA641936E07B290753CC5CF25FF004DDEFF29BC2E36FCFE70076F11
                                                                                                                                                                                                                                        SHA-512:726AE40DF0902441EB19B7B3387E48E5B7BBB616BFE4D2333347C57FF68532B95C2CDA173D66C52C3BB383AA8A84FE5BDB96C36FF0374839546374FEA2BAD1E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9A329BB0D82E1FD5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9F6FD42EB6D08AE2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229728603723284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:HVUuKJveFXJfT5lD9qISoedGPdGTFaStedGPdGTn:1U4HTjDgI9D
                                                                                                                                                                                                                                        MD5:A5524086E7DDBF71D7F6C6DF043D840C
                                                                                                                                                                                                                                        SHA1:B3C292EB5B50CBAC8802E382D09003A005EF64FC
                                                                                                                                                                                                                                        SHA-256:9E8CC6060057747D37A9298AA0F3EEA9DA59D0584CB887CCE397A712035C9E50
                                                                                                                                                                                                                                        SHA-512:004DB708647182AA27E33AF535CBDF0D3B87ED3FCAA2B00124AC15A9B28E5119B2B610D92ADB8FCA7F1CFB25F71A12C91EB970C744703E01C09E83CADCF543CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9F6FD42EB6D08AE2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9F6FD42EB6D08AE2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9F6FD42EB6D08AE2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9FE4440E20FA5652.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA40C3992145D7595.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA830C2DE52EC24A3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2546522213878057
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:B69uvrh8FXzZT5tdm3qASjnd/EqdGUDjybQSSsnd/E8Q:g9JnT5m3qAI3DONPQ
                                                                                                                                                                                                                                        MD5:A75BD670B8D60FC5C832C56A5D69372A
                                                                                                                                                                                                                                        SHA1:B560623CC07517F276969864A8AFA28172AD0BFC
                                                                                                                                                                                                                                        SHA-256:24E2257F3DC872E64B4994C0F70973C932D89A21A7C0C722F5EB1185EA209F93
                                                                                                                                                                                                                                        SHA-512:9B2A2257879B066C21958F4AC3627F8D0CDE9F0AC233AA398C9C50CE989D114CF4883025E7646B5BD078DBCE2FDEC2C0956DB33AE7174592D484655B4F36729B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA830C2DE52EC24A3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA9891912E7317834.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.600329408407042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:x8PhTuRc06WXz+jT5SdXynlUSjndddwEqdGUDjybQ6SsndddSE8ly:MhT1jjTMCnlUf3DONaE
                                                                                                                                                                                                                                        MD5:0A08F9B5AD6FCA584A12DB950AEFD493
                                                                                                                                                                                                                                        SHA1:DC6B2F359F895FEDB610C68BA90F25BE78DCB206
                                                                                                                                                                                                                                        SHA-256:22741F087659D2DB74B63F0ADE067AF6550C94E127C7BED83177361F3B813BCE
                                                                                                                                                                                                                                        SHA-512:B6C9DC8C2F36DD7217B0A042ED100E8ECA93CF2BF957881AB0A20FAE3F16A2F46E835A0D0739606A9EE60B2AB1BF8DC2F9768CDA5E3705D9E965881E507096AC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA9891912E7317834.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFAD094FD10857892E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.16306693807775544
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9rnK/5TE:hybIciuBuLoE
                                                                                                                                                                                                                                        MD5:988298D2F61571E8CFA2E56DA234AB38
                                                                                                                                                                                                                                        SHA1:841F618B806EFA499A5F75EB98B1BEE98064EEFA
                                                                                                                                                                                                                                        SHA-256:E34B2CCD7B9D9BB841CC6FD3018295BCE21D8263990D7B3C03BE8F875C3D15E2
                                                                                                                                                                                                                                        SHA-512:82DA38770A91AB0B73F52C523C210822F6D42314F51D1BBF1EC4C838EEC34B57161762EBE4AC98CC35E0EE5B9EA9D9C0CBB52ABE7A70F90527C483D12B2E3215
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAD094FD10857892E.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFAE89339688091080.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2546522213878057
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:B69uvrh8FXzZT5tdm3qASjnd/EqdGUDjybQSSsnd/E8Q:g9JnT5m3qAI3DONPQ
                                                                                                                                                                                                                                        MD5:A75BD670B8D60FC5C832C56A5D69372A
                                                                                                                                                                                                                                        SHA1:B560623CC07517F276969864A8AFA28172AD0BFC
                                                                                                                                                                                                                                        SHA-256:24E2257F3DC872E64B4994C0F70973C932D89A21A7C0C722F5EB1185EA209F93
                                                                                                                                                                                                                                        SHA-512:9B2A2257879B066C21958F4AC3627F8D0CDE9F0AC233AA398C9C50CE989D114CF4883025E7646B5BD078DBCE2FDEC2C0956DB33AE7174592D484655B4F36729B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAE89339688091080.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB1677423E9C405EB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB20D1ED63594F814.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB67D3088DFACCE83.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07957035983066839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOxgIYqICN/K9IKLIUSVky6l/X:2F0i8n0itFzDHFxgIjNxKR/X
                                                                                                                                                                                                                                        MD5:C584EBAB63FADE959CA713DE5E61B9FE
                                                                                                                                                                                                                                        SHA1:04626806B95D1B8C9B3212C646EA715217A95E6A
                                                                                                                                                                                                                                        SHA-256:324A20E8D4B0FD8D553397ECEA4877E20BB7B1DC2B709BAB914AD75C11BEAE5D
                                                                                                                                                                                                                                        SHA-512:F3633B74C48AEE72D5F5AC77F2A2D15FF86922026FEF75DC5087A60BCB83935B7E4FA5CD56207B3F120B5A21495BA25472597CFCEBE30EDAAF550644EF97FACA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBE4350BA47881726.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC0FDE15D899E6221.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC32A38D1C46623D0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2546522213878057
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:B69uvrh8FXzZT5tdm3qASjnd/EqdGUDjybQSSsnd/E8Q:g9JnT5m3qAI3DONPQ
                                                                                                                                                                                                                                        MD5:A75BD670B8D60FC5C832C56A5D69372A
                                                                                                                                                                                                                                        SHA1:B560623CC07517F276969864A8AFA28172AD0BFC
                                                                                                                                                                                                                                        SHA-256:24E2257F3DC872E64B4994C0F70973C932D89A21A7C0C722F5EB1185EA209F93
                                                                                                                                                                                                                                        SHA-512:9B2A2257879B066C21958F4AC3627F8D0CDE9F0AC233AA398C9C50CE989D114CF4883025E7646B5BD078DBCE2FDEC2C0956DB33AE7174592D484655B4F36729B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC32A38D1C46623D0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCAD91CD85BB3FE25.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2791669561138337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eQLunBrh8FXzjT5bnddWibSjndd4d/EqdGUDjybQqSsndd4dXE8:XL/NTVddWc93DONg
                                                                                                                                                                                                                                        MD5:6FB0C164564EA76D3E8DE5B4864866A7
                                                                                                                                                                                                                                        SHA1:B791A3CE3FF59E447E81B817034A92E33EC8504D
                                                                                                                                                                                                                                        SHA-256:346798B4A54E98A9C4E75CCDF62EF66B3F4CE5E03A155208C78ECB7E3B8D99E6
                                                                                                                                                                                                                                        SHA-512:56554796EC67BCA3E0FF32828FD7589BD1E1AB99A58A18EDD347B561D67DD67C98C824E5BF3EBA37ED215D97C1609CD6B030E2E4562BEC232A1F560236135C0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCAD91CD85BB3FE25.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCD0592B522CAB70A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2505501650377584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:WgduksPveFXJpT5xOmqISoedGPdGfo2rnrStedGPdGRub1n:fdrRT2zIIox
                                                                                                                                                                                                                                        MD5:8A385FD22B1F660A30FCF89BFC52212E
                                                                                                                                                                                                                                        SHA1:54CD7B994237288A2EE60B48852884C3C34F9E6F
                                                                                                                                                                                                                                        SHA-256:65C7426E52DDA78B747F2A5832C09989FBD66380E7A254D30F749F34B66519AA
                                                                                                                                                                                                                                        SHA-512:DE5F2A5443669302A68D37374B4A88E5F0F7F03B7AEBE16D04173557FA637FB92336F04042734BA468ACA717A9FE9A027F4C5C875DA5C08C96E020575A0310C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCD0592B522CAB70A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCDCD475ED65E9D68.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0002712838199117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:1MMXukJveFXJfT5pfDwoqISoedvPdvbCnuhnq9rnK/dStedvPdvxubS:/XaHTnfD6IciuBuLO4
                                                                                                                                                                                                                                        MD5:28C23B22024E9233559490B2F0444D53
                                                                                                                                                                                                                                        SHA1:16C98EB3F8CA7F2769C9E0ACD183154761AFCB31
                                                                                                                                                                                                                                        SHA-256:DBF27D899CCC95D9FE1632B59A2326ADB24CE5BFCA7983F190A3C38D687D20A0
                                                                                                                                                                                                                                        SHA-512:FD16346F33AB3990BD2CDE1D332C0A4F00BE2AABFA81530A9EB592605E949E88894CEE5FEAA459F7674E516AE0A1D856D9F30104D4CE2019A1E2F161C378A074
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCDCD475ED65E9D68.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD13AF5760DA077E2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD164FC693E7E41FE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1300131861044405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGwWTZko8+++n9:CnAStedGPdGeqISoedGPdGTFah
                                                                                                                                                                                                                                        MD5:5EEB5784A94533BA85CA184C38F3257F
                                                                                                                                                                                                                                        SHA1:D2366C0D8623ECD5F672D1F7BCBB0D4B4E48FBF7
                                                                                                                                                                                                                                        SHA-256:3D3DDDB735CF1F859810A7D7CC01E5DE33E520928A67D32AE547D634024DDF42
                                                                                                                                                                                                                                        SHA-512:465B28789423C863FB2A2311EAFBB197DC48265413926907B8522FB28A9845EBE0FD80F10707F8191134FBAB1ABDBE72897CB167CAB5411DD4A3DC4A4B9E046A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD164FC693E7E41FE.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD3CF40D2513F87C8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.619210339555881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:H8PhPuRc06WXJEjT5JDwoqISoedvPdvbCnuhnq9rnK/dStedvPdvxubS:GhP1HjT3D6IciuBuLO4
                                                                                                                                                                                                                                        MD5:36A02D9783A4E1B2F5DA0615B8B44F9A
                                                                                                                                                                                                                                        SHA1:AF7A741867B66FC33C5175D6E9F3D7665E43B0C4
                                                                                                                                                                                                                                        SHA-256:2466AFC24B239C843CEBAA0320FA6933F809F465624AC2DCDA991B0EEE516656
                                                                                                                                                                                                                                        SHA-512:925CC071A2025F3444A1296A37EE7A8C4558F580E3B9A913FED6C743AFB8754B2BD4CC6EB25FBF408A2D6128A3B1354CBA8EA3E7BA49099856F39A5A9BB80471
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD3CF40D2513F87C8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD3CF40D2513F87C8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD4F33FDD171D24AE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDDB0F22BDFDA7541.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDE4EF0E551BF66AD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE1464EAA1FD9BA8D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2505501650377584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:WgduksPveFXJpT5xOmqISoedGPdGfo2rnrStedGPdGRub1n:fdrRT2zIIox
                                                                                                                                                                                                                                        MD5:8A385FD22B1F660A30FCF89BFC52212E
                                                                                                                                                                                                                                        SHA1:54CD7B994237288A2EE60B48852884C3C34F9E6F
                                                                                                                                                                                                                                        SHA-256:65C7426E52DDA78B747F2A5832C09989FBD66380E7A254D30F749F34B66519AA
                                                                                                                                                                                                                                        SHA-512:DE5F2A5443669302A68D37374B4A88E5F0F7F03B7AEBE16D04173557FA637FB92336F04042734BA468ACA717A9FE9A027F4C5C875DA5C08C96E020575A0310C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE1464EAA1FD9BA8D.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE2015827114B5A96.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE24DD2E7A63DD69C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEB46C3B8C5277EA4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEBC402EEEAA3F8DD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEC36B845F78A3ACD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2203633408784054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:n8PhcuRc06WXJEjT55D9qISoedGPdGTFaStedGPdGTn:mhc1HjTnDgI9D
                                                                                                                                                                                                                                        MD5:D55A476ACAC2CC32A8882A80E31CD5A1
                                                                                                                                                                                                                                        SHA1:2EACFB7BB6CF0376A1A4F97FE1871EAFE080B2F6
                                                                                                                                                                                                                                        SHA-256:1907976B2E23969497B4F0952384BA531407C6970B2F894D5A65F71AD74DF4E6
                                                                                                                                                                                                                                        SHA-512:39BA3E80BF0E772FBE8FB2A6C24A12ACF01BEB2A19346E37985ACA608556FEB80942A65B47498B9EA1EA9A133883B11D9D2E0CA855DAB20432216827BF505AAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEC36B845F78A3ACD.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFED2D40585E8B8311.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):172032
                                                                                                                                                                                                                                        Entropy (8bit):2.4608060819296287
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hARObDBZ84vjMgtjDDtgVPpSu7b5Ok5oF0RObDBZ84vjMgtjDDtgVPpSu7b5Ok5b:hAoDkfsKPpSuySoDkfsKPpSuy
                                                                                                                                                                                                                                        MD5:6A1B39912BBB67D50C4248EA82E4A6FB
                                                                                                                                                                                                                                        SHA1:775E4A76B0D9A652186A17C9D093966654C717BD
                                                                                                                                                                                                                                        SHA-256:2FA60A79431F0CCFE64E8C1A4C90569CA044C1616766159FE044312DB2867AB3
                                                                                                                                                                                                                                        SHA-512:679E2A0A14CBE836D407865146FBCBADCED4FD804AC34FF388BD29935B7ACD8666E25554B27A8AE4C36E00A8F0E261156D947B14A276FDFA354FD4052504301D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEE2A53A48B336AC3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5621333139288809
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:48PhluRc06WXJ0FT5xOmqISoedGPdGfo2rnrStedGPdGRub1n:Hhl13FT2zIIox
                                                                                                                                                                                                                                        MD5:FA6F1B56AC40A639ECDDE5059D0DE369
                                                                                                                                                                                                                                        SHA1:6C2E8CDBE3AD78A26E7179CCBDE47AA874441F8E
                                                                                                                                                                                                                                        SHA-256:63377EA35A2C444791BE57FD90D566873D2DCB817D45E4F23FF242E53EA13048
                                                                                                                                                                                                                                        SHA-512:99A703F55394E70E71043555AD06594D5064439445F8BB96FCFBE1F51BF7248ABEB6F483CF047A59EB1BF6840D954091D71971FB0018E9A2ED964E259C2E0443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEE2A53A48B336AC3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF1F5D3DED81A3996.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07818414976654083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOw6PKLIUgVky6lW:2F0i8n0itFzDHFw6CbW
                                                                                                                                                                                                                                        MD5:66A8243D5CED8CF9148F8DC9CC546A50
                                                                                                                                                                                                                                        SHA1:215EFA5036A53267D45365E39F2A13005CC139AA
                                                                                                                                                                                                                                        SHA-256:3DBBB36F35D8D48AEB28398470CF3D86E18B7CEA99721ACE711DAD9A60F8A27A
                                                                                                                                                                                                                                        SHA-512:AFEB6D7CAAB6F5027A3383500A10627F09E7F48B073C5F1E55C96B9D1129477C54B465042C2172315F01231BA4479A9CC874F7E3773702F5213F2A191633A992
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF38D1CC5697FA5E3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\system32\SRCredentialProvider.dll (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):326664
                                                                                                                                                                                                                                        Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                        MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                        SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                        SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                        SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4
                                                                                                                                                                                                                                        Entropy (8bit):2.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Cy:Cy
                                                                                                                                                                                                                                        MD5:17C47928D1BA7ECB789EE3E4E7BB61A4
                                                                                                                                                                                                                                        SHA1:58836A68D7DA82082C676A5E1F5BC33F2A8CADF0
                                                                                                                                                                                                                                        SHA-256:42A3ABE36D8E5C5CB6123D9DA9ADB152C87AD6E08CB6327BB5405A8E297635E4
                                                                                                                                                                                                                                        SHA-512:EF35FF11C834B9F6696C0EB1FA3F32A3DAE4C304AB872E2A5357D539DDA15C3AC7BD618B5AE8628BCF42BC9B47AFE0C6796816318B2E10B8378EDAFD953EE336
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:52..

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878667758876642
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:z8yxMFhhZI.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:ca547b71f62c449c8e365701212469d9
                                                                                                                                                                                                                                        SHA1:43d9688cb60427723cf098896d762b010487bbee
                                                                                                                                                                                                                                        SHA256:c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621
                                                                                                                                                                                                                                        SHA512:6ebe3885cc2ddad0c8579ece4344d6c3b75929e389270aabd409ecdea3772f7baa1b866e0f4a37e706441c8a17d1e243cb9cd81b659fec42db69fcfff1fa6f2e
                                                                                                                                                                                                                                        SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:00D523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:07:50:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z8yxMFhhZI.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff7726d0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:07:50:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff7726d0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:07:50:29
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 0665D20C0C89E79051AAD52EC447123B
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:07:50:29
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSID54C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5297578 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0xaa0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1720745521.000000000427D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:07:50:30
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSID81C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5298234 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0xaa0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1771227691.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1771227691.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1731658678.0000000004398000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:07:50:35
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIEAF9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5303046 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0xaa0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1773764408.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:07:50:35
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CA0C5DC5313F71A0151B846B9DF49599 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x730000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:07:50:36
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x520000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:07:50:36
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x800000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:07:50:36
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xad0000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:07:50:36
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xda0000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:07:50:36
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:07:50:37
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="marisol.condimentos@hotmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="a6dedb0f-2022-4aea-abf1-f34b9f20892e"
                                                                                                                                                                                                                                        Imagebase:0x1df0a9f0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1851255413.000001DF0ABD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C6CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1852691846.000001DF0AD20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1851255413.000001DF0ABDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C6F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1856509849.000001DF251EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1856509849.000001DF2518E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1856370967.000001DF25160000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C6F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1851255413.000001DF0AC12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C6C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C6FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C7A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C772000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C7BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1793758201.000001DF0A9F2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1853017839.000001DF0C709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1851255413.000001DF0AC61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1851255413.000001DF0AC5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1857972609.00007FFD9B3D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 21%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:07:50:42
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x2bbcfbe0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2342617373.000000FA9D7A5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2348840998.000002BBCFD4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2348840998.000002BBCFD10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0A58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0A1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD06A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0AA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0D20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2355737421.000002BBD0530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2354821548.000002BBCFFF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0942000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0C6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2346862466.000002BBCFC90000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD096C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD07B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2399469390.000002BBE96E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0E1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0755000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2399469390.000002BBE96D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2399469390.000002BBE96A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2348840998.000002BBCFD18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2392191319.000002BBE9150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2355737421.000002BBD05F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2392191319.000002BBE91A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2348840998.000002BBCFD98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0CEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0B67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2392191319.000002BBE9185000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD06D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357811653.000002BBD0C9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2394976270.000002BBE930E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:07:50:42
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff73dec0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:07:50:42
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:07:50:43
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSICED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5311734 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0xaa0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903585125.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1862097536.0000000004A9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903585125.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:07:50:58
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "68b87b08-ee5a-4a28-b15f-bf80d4fa6d54" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL
                                                                                                                                                                                                                                        Imagebase:0x224d2070000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D23BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2034231651.00000224EB2AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D2339000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2034231651.00000224EB1F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2033567521.00000224D2B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2033567521.00000224D2BA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2033567521.00000224D2BB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D23C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032527193.00000224D2260000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D237D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D2331000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2032657849.00000224D22F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2033141606.00000224D2992000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.2006129029.00000224D2072000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:07:50:58
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:07:51:01
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "6ff523c4-fe05-487b-a560-69e402e17cca" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ND5FxIAL
                                                                                                                                                                                                                                        Imagebase:0x17bc8f70000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC9190000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2050414128.0000017BC9B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2050143889.0000017BC93F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC91AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2050414128.0000017BC9C13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC9218000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC9259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2050414128.0000017BC9C03000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC9198000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2049207030.0000017BC91CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:07:51:01
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:07:51:02
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x14895970000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEF36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2683179432.0000014895B2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148964FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2727562739.00000148AEBF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148967A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2682789704.0000014895A20000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896AD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896E0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896872000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2683179432.0000014895B55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2683179432.0000014895B0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896BE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148968E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEF20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.000001489691A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896C23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AF00A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2727562739.00000148AEC4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896E38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896ABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2689322174.0000014895E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEF66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148966B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.000001489693C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148965A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEF9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896B63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEFCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2677000286.0000003593725000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148969E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.000001489691E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AF026000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896B5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEFD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEF50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.000001489675C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896EA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896D4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.00000148967C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2683179432.0000014895AD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2731087701.00000148AEFA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2692056998.0000014896B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:07:51:02
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff73dec0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:07:51:02
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:07:51:03
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "0a4bcae9-40bd-4b1b-b8e4-0618fbce3416" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ND5FxIAL
                                                                                                                                                                                                                                        Imagebase:0x14cea840000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2298111257.0000014CEA957000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C80163000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2298111257.0000014CEA999000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C8022B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2312017810.0000014CEBDD1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2298111257.0000014CEA910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2306564317.0000014CEBAF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C80093000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C801BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C801F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C801C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2306758462.0000014CEBAF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2298111257.0000014CEA94D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C80227000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2301128593.0000014CEAB60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2291545268.0000014C80297000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:07:51:03
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:07:51:03
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff77ed90000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000003.2061553933.000001C750690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2175629520.000001C750553000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2175933613.000001C750670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2175629520.000001C75053B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2175629520.000001C750530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:07:51:03
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:07:51:04
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff650200000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2167451224.000002570ABA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:07:51:05
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "e41a296a-bcac-4b5c-8bc7-2e8c101aed07" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000ND5FxIAL
                                                                                                                                                                                                                                        Imagebase:0x1ede1f00000
                                                                                                                                                                                                                                        File size:74'288 bytes
                                                                                                                                                                                                                                        MD5 hash:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2670881408.000001EDE2350000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2671572796.000001EDE29F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2694524998.000001EDFB258000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE2141000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE218D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2694524998.000001EDFB227000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000000.2072061781.000001EDE1F02000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE2100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2671572796.000001EDE2B8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2671572796.000001EDE2B05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2694524998.000001EDFB1C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE2147000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE2125000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE21E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2636607693.000001EDE210C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2671572796.000001EDE2981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:07:51:05
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:07:51:05
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff7e95e0000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:07:51:08
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" a6dedb0f-2022-4aea-abf1-f34b9f20892e "74fce1a7-1569-4d1d-870e-be0a7f6a226e" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ND5FxIAL
                                                                                                                                                                                                                                        Imagebase:0x1e368840000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2175632565.000001E368AFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2189180182.000001E36ABE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2188031318.000001E36A9C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2176993792.000001E369092000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2175632565.000001E368B7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2159573235.000001E3005AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2176871582.000001E368D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2175632565.000001E368B31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2238998450.00007FFDF18A9000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2187719270.000001E36A7B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2174534999.000001E368930000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2103622822.000001E368842000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2187907134.000001E36A9B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2175632565.000001E368AF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2175632565.000001E368BD6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2179127584.000001E3699F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2159573235.000001E300001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2159573235.000001E3000ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:07:51:08
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:07:51:16
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:56'904'336 bytes
                                                                                                                                                                                                                                        MD5 hash:6AAE99153C786353C750BF8F5C9779B1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2601365382.0000000000530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2601466971.0000000000720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:07:51:16
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:07:51:21
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                                                                                                                                                                                                                        Imagebase:0x970000
                                                                                                                                                                                                                                        File size:3'383'808 bytes
                                                                                                                                                                                                                                        MD5 hash:A7CE785B6CD1C9657040CA9B6CBEED10
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:07:51:21
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                                                                                                                                                                                                                        Imagebase:0x730000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:07:51:24
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F8E5523720913A12EDC79533245EA2A0 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x730000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:07:51:27
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59A2717C-22F7-4A43-A7C1-00D51E25C2A7}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:07:51:27
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C9DF522-E68D-4E9E-888D-42C716E8ED46}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:07:51:27
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93B32141-75DD-468F-91FD-A34B20052481}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:07:51:27
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02BC1A4E-DCC8-4D67-9DD0-6286586A3FE7}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97507E97-1CE2-42FF-A992-32B34D8B9AF8}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{937EEFBD-E420-4210-82B0-5A755D4DC99D}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{096088E7-31E4-460F-A477-AA5FD56C0C67}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C08DB0C-2CD4-44D8-B8C1-2ED1CF4D0265}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F24D5FAD-F814-47DB-BA4C-8D4C9227B143}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Temp\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\TEMP\{218C0E9C-DAE7-402D-9E0D-4FCB02E9E3DA}\_isB2BB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42674A53-EFF1-4628-AC3D-41E80A5C40CB}
                                                                                                                                                                                                                                        Imagebase:0x7ff7f1450000
                                                                                                                                                                                                                                        File size:183'856 bytes
                                                                                                                                                                                                                                        MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:07:51:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:83
                                                                                                                                                                                                                                        Start time:07:51:30
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:360
                                                                                                                                                                                                                                        Start time:07:52:27
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:364
                                                                                                                                                                                                                                        Start time:07:52:28
                                                                                                                                                                                                                                        Start date:08/11/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04431630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $^q$$^q
                                                                                                                                                                                                                                          • API String ID: 0-355816377
                                                                                                                                                                                                                                          • Opcode ID: 47f36b6762ef3a0d10a14bc5675d18749fe1a90cfb8414df818a34c8b2b35b10
                                                                                                                                                                                                                                          • Instruction ID: c9893989df5c4ae36b708e2ea0180173393325591a2d9de28ad42a56a9cc8c95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47f36b6762ef3a0d10a14bc5675d18749fe1a90cfb8414df818a34c8b2b35b10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6451C031B002099FCB19DF79D8406AFBBB6ABC9751B14812BE819DB365DA309D42C7A1
                                                                                                                                                                                                                                          Function 04431080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 48bf7cbd0f4bc0868ac389029e2cbb990b63673c3973ce29a6e85f34ef44c2eb
                                                                                                                                                                                                                                          • Instruction ID: 6f6994e7ff60e34fafa7ee027130e24eb1bdd0f6a8e73ac15aad854fccaf4884
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48bf7cbd0f4bc0868ac389029e2cbb990b63673c3973ce29a6e85f34ef44c2eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B871E435B002149FEF189BB5C9546AEBBA7EFCC711F14842AE506EB3A4DE75EC428740
                                                                                                                                                                                                                                          Function 04430C1C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 0989c6162fa60cc6f37d4dcd7eebbd281ac45347127089a7c49fbbedd9faa09a
                                                                                                                                                                                                                                          • Instruction ID: f976f6dd72e08728d817c57058569a9d19fc7c26e048dd9e88eb8fcd86811d25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0989c6162fa60cc6f37d4dcd7eebbd281ac45347127089a7c49fbbedd9faa09a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E51C030B00244AFEB089B68D4547BE7BB6EFCC715F15906AD406E7395CE38AC06CB91
                                                                                                                                                                                                                                          Function 04430E8C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: d4546f70aa6e497b38a2f4d10e04bf21619c5d76b945838a99a7acfc3a7956d7
                                                                                                                                                                                                                                          • Instruction ID: 6a030758ee0d92434d30a9cd35e5777915f0c18ddf2d497904ec69ee5f840dc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4546f70aa6e497b38a2f4d10e04bf21619c5d76b945838a99a7acfc3a7956d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27412631B401045BEF18AB69946077E77AADFCCB12F14902EE506EB391CE74AC068791
                                                                                                                                                                                                                                          Function 04432644 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: a74700b6bc168ec6a0a603301423f2bbcb3afc488fffb2df31417ff05e62a4d7
                                                                                                                                                                                                                                          • Instruction ID: c8d00670109ef2ca257716f2acc92613b84062de2307d245c9734cb7b6f1312d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a74700b6bc168ec6a0a603301423f2bbcb3afc488fffb2df31417ff05e62a4d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C31F3257083940BEF296F35645037F3B9BEBCA716F1484EBD402CB392DDA8AC064351
                                                                                                                                                                                                                                          Function 04432764 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18d193d7fac18e82488a33e03d1f0741228277406378e6ad40b2a988253850e4
                                                                                                                                                                                                                                          • Instruction ID: c1696cbeecfb6accc73e32a03d1a0f63b40a9455be5d7e8e61eb34b8ae05310f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18d193d7fac18e82488a33e03d1f0741228277406378e6ad40b2a988253850e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAE02BB0C842048FC744DF7890401ED7FF4FB4A21572182BFC409C6A11EA3A8943CF40
                                                                                                                                                                                                                                          Function 044323B8 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 34f034090557ae7a6328280c164f821b5122ee246c987fb988e233ef28d7974e
                                                                                                                                                                                                                                          • Instruction ID: e203737524dbfc087e4e796a0f918b658e433ee7381d0ab61bac31342f6297db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34f034090557ae7a6328280c164f821b5122ee246c987fb988e233ef28d7974e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93510431B002118FDB14CF68D890AAEBBB1FF48719B2581E6D518CB362E771ED42C781
                                                                                                                                                                                                                                          Function 04431F08 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e62fe1a0aa4fd40b458671726e3a28eb7581d4726f92927a76beb54b50eeab17
                                                                                                                                                                                                                                          • Instruction ID: 383862d9d009102f88ccb7874797a6fb72feec4f2f3a53a1d37ac9edbb699901
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e62fe1a0aa4fd40b458671726e3a28eb7581d4726f92927a76beb54b50eeab17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A331AC327043056FCF185B75745163A3B2ADBC8B5AB05607BE609CF2A2DE287C07C3A1
                                                                                                                                                                                                                                          Function 04432268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 35d54126041310cdd80a8f0be9a475ba50a97cfda4f3c687e65b0c54dbf56def
                                                                                                                                                                                                                                          • Instruction ID: c5369da8f665aff29bb623d331296b107c0f426b0df06f419f86bbbb122928b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35d54126041310cdd80a8f0be9a475ba50a97cfda4f3c687e65b0c54dbf56def
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B741E535B002189FCB54DF69D88099EBBB2FB8D715B10816AE905EB360DB71AD42CB90
                                                                                                                                                                                                                                          Function 04431050 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bf67d4676492ea2baca1e3e4c68441e09465f8103a36d0588e8b76063d183f98
                                                                                                                                                                                                                                          • Instruction ID: 5979f939e4a77fd206d0501c684501abfef021d08b4e28eae5cdc393acd64087
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf67d4676492ea2baca1e3e4c68441e09465f8103a36d0588e8b76063d183f98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94213632B0126497EF109B6889506EEBBAADFCC616F04507BC506CB352EA74ED078390
                                                                                                                                                                                                                                          Function 04432258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70bdf563986cbd641f7f39315fd74c91d475e69f83035ff9cdf600466d3287a2
                                                                                                                                                                                                                                          • Instruction ID: e56c1fee9020b8a287a9eb51108fca1ddc941ba30b1418b25d21cfbeef0bc645
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70bdf563986cbd641f7f39315fd74c91d475e69f83035ff9cdf600466d3287a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D621EA75A102059FCB48DF79D8809DEBBB2FF8C711B10826AE915EB364DB719942CB50
                                                                                                                                                                                                                                          Function 04431958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 949583fea07a7f8727b46dc27b13d20447477f7fde4830c93668fd0f52f22889
                                                                                                                                                                                                                                          • Instruction ID: c9ee69c50eb5a44c7219292be33f2de6dc0b6889bc9e3295d189c8d063824ac7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 949583fea07a7f8727b46dc27b13d20447477f7fde4830c93668fd0f52f22889
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63113D35A00115AFDB04DFA4D495AA9BFBAEFCC311F25A019E40997360CF799D4ACB90
                                                                                                                                                                                                                                          Function 04431378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 209238b18d3860dce7f130869ef502efbc18f6605ebb4cb37fc01947c40dfbcc
                                                                                                                                                                                                                                          • Instruction ID: cd2e8e417f80cb187fecd622bca7e1ac05383335fc91122cd46dd1d3b4ca2ae8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 209238b18d3860dce7f130869ef502efbc18f6605ebb4cb37fc01947c40dfbcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3821E2B1D042498EDB20DFAAC484AEEFBF0FF88324F14852AD459A7250C775A945CFA5
                                                                                                                                                                                                                                          Function 04431380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8175ec9034e2042389766c6f192af677318c829d251ab911a995a64520b28ed5
                                                                                                                                                                                                                                          • Instruction ID: a491722fe6d2a03d8149035fd0561aea2774ceea27ba88145992fce1d13d8bf2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8175ec9034e2042389766c6f192af677318c829d251ab911a995a64520b28ed5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 341106B1D042498FDB10DFAAC485ADEFBF4FF48324F10842AD45967250C774A945CFA5
                                                                                                                                                                                                                                          Function 04431968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9811960c3a5f6353b8f2ed11e1fc7fcbb21da6b8fcbf86f93a2b26f8da36a079
                                                                                                                                                                                                                                          • Instruction ID: 160f1ecf7b167e9353667a40b6e5d9121f68e2c03a90c304eb125a691c749a14
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9811960c3a5f6353b8f2ed11e1fc7fcbb21da6b8fcbf86f93a2b26f8da36a079
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15111F35A00115AFDB04DFA4D858AB97BBAEFCC311F256029E50AE73A0CF795D49CB90
                                                                                                                                                                                                                                          Function 04431440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53097b86ddf95379081e63fe39271a366866d970aab737bd0304e465537c3983
                                                                                                                                                                                                                                          • Instruction ID: dbd6d2a72f607c6966edcc7a3c1db5fd1a334830430991a559822c97b90ec792
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53097b86ddf95379081e63fe39271a366866d970aab737bd0304e465537c3983
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5501B530A093455FCB098F7465261267FEAEFC971470A29EBC54ACF162F928D849C3D2
                                                                                                                                                                                                                                          Function 00A6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1723125785.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_a6d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53232c48f564fc140325f128c67cc0885da8ab28e801eb6d70afb9bd080a5ee0
                                                                                                                                                                                                                                          • Instruction ID: 1322933f81a12d6091e9860b912db6b031582992f565e9e85ad435cd85a5bd90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53232c48f564fc140325f128c67cc0885da8ab28e801eb6d70afb9bd080a5ee0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D301F770A083409AEB104B29C984767FFB8DF413A4F18C52AED0A0A186C279D841C6B1
                                                                                                                                                                                                                                          Function 0443182A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6f1cce234dbc913a1229bd65cd850cff5f6b0c8e89744ae2aa90833eaaae015e
                                                                                                                                                                                                                                          • Instruction ID: c8a35a038801e9c51b5ff21130360829b4e14d97c44a264b75e01b5767690a2e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f1cce234dbc913a1229bd65cd850cff5f6b0c8e89744ae2aa90833eaaae015e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E018F71B001158BFB1CAA6891513BFBAE7AB8CB05F15822FC106E7795CE756C01CB95
                                                                                                                                                                                                                                          Function 04432664 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7744bebffe2c02c04777b8248199ebd2657c86964ac2a1eb4f2a8bcef7128135
                                                                                                                                                                                                                                          • Instruction ID: 9e9ca9c69f29436a8c773ab1636f5e5d6faa1af2e5d49bdfc1525a08c7a569a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7744bebffe2c02c04777b8248199ebd2657c86964ac2a1eb4f2a8bcef7128135
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DF09E366963806FEB002B7474593AEBF5CEB8B22AF0294EBD546C7463EC6888474350
                                                                                                                                                                                                                                          Function 04432A98 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5bf60eca29120d94fc080ba9a8093afacb54df988a47803b899d9dd616fe03fc
                                                                                                                                                                                                                                          • Instruction ID: 8e0232698c1df7164dbb83165e867994697e140408d9d57aac8c9a50634b65b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bf60eca29120d94fc080ba9a8093afacb54df988a47803b899d9dd616fe03fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FF02B363043100BDB285E26A4C027E775BFBDCB1671480ABD905C7392DAA85C039650
                                                                                                                                                                                                                                          Function 044325D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 80c7ecc48bf8f6df8ad8f0294e9bfbfe94e0716d8df41614f47570ffd6342911
                                                                                                                                                                                                                                          • Instruction ID: 0b4be2dd94cea0a4fbc5d64c71e013ad20f702460a07883bc38594f8ebaee5cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80c7ecc48bf8f6df8ad8f0294e9bfbfe94e0716d8df41614f47570ffd6342911
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31F0E232B640548BDB0C9668E0541FE777ADBCD222B25C13BD947E3A90EF685C4BCB41
                                                                                                                                                                                                                                          Function 00A6D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1723125785.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_a6d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5a5c4462edd25da2534a1ded17f53a9c0c3a0f12aa051a67a5221cb8e689ba8
                                                                                                                                                                                                                                          • Instruction ID: 9428f6ceac1cca6de67e3dcb2c181001c4c86749cf856ecfe9f4355b0fa9a53a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5a5c4462edd25da2534a1ded17f53a9c0c3a0f12aa051a67a5221cb8e689ba8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3F0C271508340AEEB108F1AC884B62FFA8EF51374F18C55AED481E286C3799C40CAB0
                                                                                                                                                                                                                                          Function 04431431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 705584ed5892ac1ca0fd7f797139a1d0fa8d21f623de1d0b40b1e503c53a7da7
                                                                                                                                                                                                                                          • Instruction ID: 00c4c38c27a9ef860ab3e431f60818e4ad4b1089ee16cee766850c57eca6442e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 705584ed5892ac1ca0fd7f797139a1d0fa8d21f623de1d0b40b1e503c53a7da7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0FC306012455ECF0D4F74516512A7F9EEFC972470628AFC185CF171F928D846C3C2
                                                                                                                                                                                                                                          Function 044325E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7dc98406b0fbb77d7e76810132bade866079a585222fc2fccf8d40ddf1aeb815
                                                                                                                                                                                                                                          • Instruction ID: a192fefe2fcb9c2a972aad861be8fc32a59335f52e83eadfbcef25ea54eaa629
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dc98406b0fbb77d7e76810132bade866079a585222fc2fccf8d40ddf1aeb815
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6E0E532B1415847CB0C9678E4544FEB77AEBCC211F11803AD916A3340EF705D0ACB91
                                                                                                                                                                                                                                          Function 04432654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03594f6271fc4316c69b6c989bc3b7784324918fe067e98bb3006f0b2fe39a31
                                                                                                                                                                                                                                          • Instruction ID: b415f58c3e08577ee2aa179906cc53f4ab843608b508efc0456963632b887a8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03594f6271fc4316c69b6c989bc3b7784324918fe067e98bb3006f0b2fe39a31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69E0652071422903FF382E6A55107A7768AAB88E1AF0008FBC801C7683E8C0F84102E2
                                                                                                                                                                                                                                          Function 04432590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c910ec20bb8f21c3348d79106aef14e63471239c0283dc39f36f7fc152e2574
                                                                                                                                                                                                                                          • Instruction ID: 3f8d2cf3232919665c2ae1ff454fb9c436a52a998ad666f32ae8fee7d2000755
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c910ec20bb8f21c3348d79106aef14e63471239c0283dc39f36f7fc152e2574
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63E08CF11452000FE716A7B4E9561C97FA1EB8431031799AAD086CBE37EE289C8B8381
                                                                                                                                                                                                                                          Function 044317F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b220b13139013b996bf4bba93064f6f12445f876449b2126f936d7957fa9a8d8
                                                                                                                                                                                                                                          • Instruction ID: 345d105174ac05c9a8cfc11ec203e69bbfecfb28fb4f89d8dc36efbbcc4a201e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b220b13139013b996bf4bba93064f6f12445f876449b2126f936d7957fa9a8d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7D05E773592405FDB0DEB60F4560AA7F63E75A211305805BE586CAABAEE2409A2C744
                                                                                                                                                                                                                                          Function 04430C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b878287de27aa0dd96de9fbf394bf5bea4ae75f0bd002e63bc6bba0acc455f8f
                                                                                                                                                                                                                                          • Instruction ID: a1baea54d3460a0aec1b533a305882cbafd914a12ef15e444773dede1356bf15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b878287de27aa0dd96de9fbf394bf5bea4ae75f0bd002e63bc6bba0acc455f8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0D0A7323100187B5A0C6719D8868AABB99E7896613105437FA0287238DD60BC418399
                                                                                                                                                                                                                                          Function 04432A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 51d6fec7d58b8d1ee3b1e6be261986881a192b38b3642715a57e762b3da0326d
                                                                                                                                                                                                                                          • Instruction ID: 5bcae5d59780403bfe6de98ca54de63696b6b44772a83e4d1601847f4421d248
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51d6fec7d58b8d1ee3b1e6be261986881a192b38b3642715a57e762b3da0326d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95E017B0D0420D9F8B94EFB9850156ABBF4BF49605B2085EEC40CD7201FBB2AA02CB91
                                                                                                                                                                                                                                          Function 04430440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: afb0fbe255efd340f5e277e9ff874ae26b7a5344a68602e42fe0eb32826410db
                                                                                                                                                                                                                                          • Instruction ID: 3f35b93a305296278995ba7aa5444259b6039ae582c785ad9448c17c7bd51cec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afb0fbe255efd340f5e277e9ff874ae26b7a5344a68602e42fe0eb32826410db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43D022B2009382AFC3028A6804010A3BF70FAB260138AE3A3C080C9067D21EE493C271
                                                                                                                                                                                                                                          Function 04432C37 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1722288795.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 58a2f34b7d8d7389cc276a5c41ea204de40dea38c89774065321f84b86dbdcc8
                                                                                                                                                                                                                                          • Instruction ID: 361b7d67080551443dc3faae538260cb8b1ffa1c111e3643a7ae9d937731a89b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58a2f34b7d8d7389cc276a5c41ea204de40dea38c89774065321f84b86dbdcc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BC08C1214C3D49DE323A2B128207E57F880F1202EF0E00EF96888B0E3C40980989372

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 06A80040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770084167.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6a80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;^q
                                                                                                                                                                                                                                          • API String ID: 0-2342212615
                                                                                                                                                                                                                                          • Opcode ID: 81663db35575cc3ba4856112fca76c6208ce23cf41ac8292e87d99fb567202fa
                                                                                                                                                                                                                                          • Instruction ID: 45ac6ff481e85056882fd3e07bbbeb47a81916afe92b9a922eb26d23b20285d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81663db35575cc3ba4856112fca76c6208ce23cf41ac8292e87d99fb567202fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE226F30E1061ACFDB54FF78C84469DB7B2FF89304F1186A9D946AB251EB70A989CB50
                                                                                                                                                                                                                                          Function 0699746A Relevance: 20.9, Strings: 16, Instructions: 913COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                          • API String ID: 0-3238858861
                                                                                                                                                                                                                                          • Opcode ID: 9ce66a5e9a45215ddf7222b593ab4a64048ef04b8e73ff88687b2c3bfbf85c86
                                                                                                                                                                                                                                          • Instruction ID: 771778d35e78588fcafd32df3895fc7ce69d050f2129ee658e1c5bd937768689
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ce66a5e9a45215ddf7222b593ab4a64048ef04b8e73ff88687b2c3bfbf85c86
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39A2E730A4021CDFDB25AF64C954AEEBBB2FF49300F1045E9D5096B264DB369E86CF91
                                                                                                                                                                                                                                          Function 069974C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                          • API String ID: 0-3238858861
                                                                                                                                                                                                                                          • Opcode ID: 8dd4bb559b5fa67b7f71766a2c80626f62b7d1dd5e45fa975cbab778211201a6
                                                                                                                                                                                                                                          • Instruction ID: 7cd0ae8e522464837516c09069afd607521a2529ab934e8e9988aed04914970b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd4bb559b5fa67b7f71766a2c80626f62b7d1dd5e45fa975cbab778211201a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F92C830A4021CDFDB259F64C954AEEBBB2FF49300F1045E9D6096B264DB369E86CF91
                                                                                                                                                                                                                                          Function 0699B9F8 Relevance: 5.3, Strings: 4, Instructions: 269COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$(bq$(bq$(bq
                                                                                                                                                                                                                                          • API String ID: 0-2632976689
                                                                                                                                                                                                                                          • Opcode ID: 295d145b33f44d5fbe3ebe46f24abb8be87dc29bf7e89481855e2b898f82fecf
                                                                                                                                                                                                                                          • Instruction ID: 5ef9def5070a5dc16cb8aaf5278b90621eb76e0b8df155d8530c8c205a34cef6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 295d145b33f44d5fbe3ebe46f24abb8be87dc29bf7e89481855e2b898f82fecf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC81D331B001148FDB54EF7DE45469E7BEAEF88650B2480AAE50ACB7A4EE35DD01C7A1
                                                                                                                                                                                                                                          Function 0699B688 Relevance: 4.0, Strings: 3, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$\;^q$|]q
                                                                                                                                                                                                                                          • API String ID: 0-2188306192
                                                                                                                                                                                                                                          • Opcode ID: 3769437c9c3a9eed76c2fdc0ab8dfa83b4e758df34f5ccbe53cb65e3ca1afbba
                                                                                                                                                                                                                                          • Instruction ID: d1f088b5e01f12a9c67fdd8c0dec7e3214dcfbd6f4fddfa268d28e30a75e2307
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3769437c9c3a9eed76c2fdc0ab8dfa83b4e758df34f5ccbe53cb65e3ca1afbba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4061D775B441168FDB589A6E955067FB7EBBFC4344F20802AD905D7BACDE38CC0287A1
                                                                                                                                                                                                                                          Function 069985C0 Relevance: 2.9, Strings: 2, Instructions: 436COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$d
                                                                                                                                                                                                                                          • API String ID: 0-3334038649
                                                                                                                                                                                                                                          • Opcode ID: de1d9c75b90fca4efc05026ab9d63f1a329b36c30b446faf2917fbf4f981409d
                                                                                                                                                                                                                                          • Instruction ID: 039b242a3d3e2478a4162686aa6b057c5b321922aaa574d705e5a1b1bbb67c8d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de1d9c75b90fca4efc05026ab9d63f1a329b36c30b446faf2917fbf4f981409d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA028B34B006058FDB54CF19C58096ABBF6FF89314B25CA69D46A9BB65C730FC46CBA0
                                                                                                                                                                                                                                          Function 06991630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $^q$$^q
                                                                                                                                                                                                                                          • API String ID: 0-355816377
                                                                                                                                                                                                                                          • Opcode ID: d2de14ec642c1f50e79e0080002db90350bc314b585ac4caf953c32c3c2d1075
                                                                                                                                                                                                                                          • Instruction ID: cd1057d7bc25d003b619e3392257507ca37a97ba4a5c707f6b99616ebbe06575
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2de14ec642c1f50e79e0080002db90350bc314b585ac4caf953c32c3c2d1075
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B751C431B0020A9FCB55DF7CD8505AEBBFABFC9250B14852AE818DB764DA319D42C7A1
                                                                                                                                                                                                                                          Function 069930EC Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$LR^q
                                                                                                                                                                                                                                          • API String ID: 0-516514815
                                                                                                                                                                                                                                          • Opcode ID: 1673fdcb53b7e96916f7d38e4c664aab4d47f2502df6e8d1484cce225f3f5dea
                                                                                                                                                                                                                                          • Instruction ID: 38598f2ff562616b17c2797bec6e89f2d07c9287e0bddacd5c75469307770c97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1673fdcb53b7e96916f7d38e4c664aab4d47f2502df6e8d1484cce225f3f5dea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE41EE30B04254AFEF499F39986877F3BABEBC9600F108869E406D7794EE34DC4187A0
                                                                                                                                                                                                                                          Function 0699A228 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$(bq
                                                                                                                                                                                                                                          • API String ID: 0-4224401849
                                                                                                                                                                                                                                          • Opcode ID: 60fda173b6b00d2bbf1e3d461c4a8adc5f14bdb1684891d9f78129f6f06b4d9b
                                                                                                                                                                                                                                          • Instruction ID: 3c819ec58eae5565c0dd4805a9a0081fa8be6ca9ff82192904d198c9bd90596f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60fda173b6b00d2bbf1e3d461c4a8adc5f14bdb1684891d9f78129f6f06b4d9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58411630B042549FDB15DF69C854B9EBBF6EF89210F248099D806AB781CB75AD02CBA0
                                                                                                                                                                                                                                          Function 06996C20 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: bccb39e98d0c9f6c4f90662f3e050823397a8f92c42d628e6160ae72ed50afe4
                                                                                                                                                                                                                                          • Instruction ID: 12634143680e0d6c8488af280abf18abaec7631b916eb16f1eee5c67f5c2331e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bccb39e98d0c9f6c4f90662f3e050823397a8f92c42d628e6160ae72ed50afe4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BC19D30B001158FDB58DFADC494A6EBBE6BF88704B248869E4569F794DF30EC41CBA1
                                                                                                                                                                                                                                          Function 0699E1F0 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Acq
                                                                                                                                                                                                                                          • API String ID: 0-1548273396
                                                                                                                                                                                                                                          • Opcode ID: 322a2c8e62fdcfb57830f399663ba2da5210ca759ac4475e751cc62e7231a9fd
                                                                                                                                                                                                                                          • Instruction ID: 04ea682a2fe23586fe05be9757e3546f344ed1cd9c21677e0e69ebfac2cbf0b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 322a2c8e62fdcfb57830f399663ba2da5210ca759ac4475e751cc62e7231a9fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89C16E70B102199FDF55DFA9D894AAEBBB6AF88300F244429D502EB794DB709C06CB61
                                                                                                                                                                                                                                          Function 069999B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 849ab68523e6cc1093eb39e245c6e9679596f20b4b9a36d461f2e717c6f5aa7b
                                                                                                                                                                                                                                          • Instruction ID: 829b704f7a42f61790653be89212aced08e77704fa72356ffab55ae8bf898467
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 849ab68523e6cc1093eb39e245c6e9679596f20b4b9a36d461f2e717c6f5aa7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CE12934A003598FDF45DF68C884A9DBBF2BF89300F298199D809AB365DB74ED45CB60
                                                                                                                                                                                                                                          Function 06A89FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06A89FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770084167.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6a80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: f88737505d9de092a68db6b51bc5377e0d6655730f79251f5343b77e0fe9971f
                                                                                                                                                                                                                                          • Instruction ID: 2128d9f324251a8cf2d7696bb269bbaddefbeaee6b472deebacda0ed0f891367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f88737505d9de092a68db6b51bc5377e0d6655730f79251f5343b77e0fe9971f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6110D35E016049FEB60FB74D4403ED77B1EB45368F148126D7156B290EB369D09CB50
                                                                                                                                                                                                                                          Function 06A89FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06A89FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770084167.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6a80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 0f5098974bba36b5f2c758af005208571d6f87aec932c822026bbb34388825b9
                                                                                                                                                                                                                                          • Instruction ID: b3d897aa9ff77e097c09a9484cca23cd7b53ed0f048d1d86ec332d4d24b07bdd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f5098974bba36b5f2c758af005208571d6f87aec932c822026bbb34388825b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74117B35E02644AFEB51FB34C8443ED7BB2EF49328F28815AD7156B190EB359C09CB90
                                                                                                                                                                                                                                          Function 06991080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 1baec46a9cea70122d05e307540d16d0aaee7365f02c82adb8fa2e4221c3eda0
                                                                                                                                                                                                                                          • Instruction ID: 1013c1afec2eec8973649256a64b3af984289ab2b3227bdbb3b73a2debd7bcfc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1baec46a9cea70122d05e307540d16d0aaee7365f02c82adb8fa2e4221c3eda0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E71B731B002159FDF58EB79C85466E77ABBFC8300F148429D506AB7A4EE35DC42CBA1
                                                                                                                                                                                                                                          Function 069968E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: ddb4b8f1f16656c3b4831400d497f9f7680e158e608c14ea7603f284c8fa90fe
                                                                                                                                                                                                                                          • Instruction ID: ef4f6f0895885141ccc574c0be8f4a9f1de2ea2c0720c0594c78b583f08ddea9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ddb4b8f1f16656c3b4831400d497f9f7680e158e608c14ea7603f284c8fa90fe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97613A3AB002159FCB41CF69C98099ABBF6FF8D31071581AAE519DB321DB31ED16CB90
                                                                                                                                                                                                                                          Function 06996048 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 7290a905f0f9c12e9609c3c6459aecb3509185ced763e6978718f5de3f1a5e05
                                                                                                                                                                                                                                          • Instruction ID: f7c76a82710d03ed61754f3fac927004008df29f762ba8b5b0fef2e4ec17c972
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7290a905f0f9c12e9609c3c6459aecb3509185ced763e6978718f5de3f1a5e05
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8714B34A003189FDB45EBE4C8A06DEBFB2EF88300F145429D2566B7A4DE35AD46DB91
                                                                                                                                                                                                                                          Function 06990E8C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: ffa0481c4581ed0375e023138b926994d04cdb99d6e65fd919ee1088d26de524
                                                                                                                                                                                                                                          • Instruction ID: e0f099863c3b3817ddb8c6d9e21e94433d1c3ca4e1e3c61adb8cb28dc7baa64f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffa0481c4581ed0375e023138b926994d04cdb99d6e65fd919ee1088d26de524
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72412831B001156BEF98EB6D9864BAF679BDFC8210F10842DE906EB780CE359D0687F1
                                                                                                                                                                                                                                          Function 06990C1C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 7e1935534f009434703a4c76a5f163c968d5fac137d4c42b9fd0bc9ea6750343
                                                                                                                                                                                                                                          • Instruction ID: 81c6bcc6cb9f268f8932f2026ec2e9515309811010d478b367b883c351909b63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e1935534f009434703a4c76a5f163c968d5fac137d4c42b9fd0bc9ea6750343
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6511230A04245AFDB48DB68D8547AE7FB6EFC9310F14846AE407E7781DE384C45CBA0
                                                                                                                                                                                                                                          Function 0699C4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 616e44d3ec2ef59d4a7111760cf196631d606b25ab9f9e933af216aa7e5d8200
                                                                                                                                                                                                                                          • Instruction ID: 2f96db5dfec04e5207f799b144532f3b671ceea4527190d8381454b2dab9fafa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 616e44d3ec2ef59d4a7111760cf196631d606b25ab9f9e933af216aa7e5d8200
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D51E5357047418FC725DB38D95496ABBE6EFC5300718C6A9D44ACB765CA30EC46C7A1
                                                                                                                                                                                                                                          Function 0699E428 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Acq
                                                                                                                                                                                                                                          • API String ID: 0-1548273396
                                                                                                                                                                                                                                          • Opcode ID: 1f9743d7a3d6cfe87b52ea75dd5d7502106e694ce81fb64ad8a9ede90bd4a78c
                                                                                                                                                                                                                                          • Instruction ID: aa6065f3e925e76b7973562c1f540394b8f5e659afd6e874f97db49ce57160ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f9743d7a3d6cfe87b52ea75dd5d7502106e694ce81fb64ad8a9ede90bd4a78c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29419D70B10215DFDF54DF68D894AAEBBB6BF88204B104429E512EB794EF709C06CFA1
                                                                                                                                                                                                                                          Function 0699E438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Acq
                                                                                                                                                                                                                                          • API String ID: 0-1548273396
                                                                                                                                                                                                                                          • Opcode ID: 73dd83d6116412704e0b040847244ebc6be6d0704cd62ec40e5dd560e36b7f7f
                                                                                                                                                                                                                                          • Instruction ID: ddc01d58a55ea5e476409f45366cabde4fba510c8fd61c7f54cda10c94000167
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73dd83d6116412704e0b040847244ebc6be6d0704cd62ec40e5dd560e36b7f7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C418D70B10215DFDB54DF69D894AAEBBB6BF88204F104429D912EB754EF70AC06CFA1
                                                                                                                                                                                                                                          Function 0699EA88 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 997a75112cbdaa7d381b72400b8b184d3c10e2d34ee429abe7ba95aac8ff1bba
                                                                                                                                                                                                                                          • Instruction ID: 6c3364d53baff648e9546ac9c111642031a89be8b7f4c55a02326fcb0631c8c8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 997a75112cbdaa7d381b72400b8b184d3c10e2d34ee429abe7ba95aac8ff1bba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1931DF31B002158FEB58DA6ED89196EBBE6EFC82507244439E506CB790EE70DC028BA5
                                                                                                                                                                                                                                          Function 069985B0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 1c12b8fac6189932a23f12ba76231f1be2abd34082baec83370623238ddfc61d
                                                                                                                                                                                                                                          • Instruction ID: 71a27e877fb33528fbefa9a29d90fd0c938049ed26b1f94b26b5df543535bd8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c12b8fac6189932a23f12ba76231f1be2abd34082baec83370623238ddfc61d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E416C34B106058FDB54CF59C580A6ABBF6FF8A314B258969D45AEBB61CB30E841CF60
                                                                                                                                                                                                                                          Function 06993719 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LR^q
                                                                                                                                                                                                                                          • API String ID: 0-2625958711
                                                                                                                                                                                                                                          • Opcode ID: 5e29d5ea50cd90751e80f1378f6bdb625484d87f6d697b2d665604da72ec7173
                                                                                                                                                                                                                                          • Instruction ID: 79da7ae6f4e9bfcf36ea910dd16311eb6d9ac18776fefe647cf5268ca2192f68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e29d5ea50cd90751e80f1378f6bdb625484d87f6d697b2d665604da72ec7173
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D21E271B00215AFDF88DE299C497BF7BAEEFC5614F10442DE406C7694EB349D0187A1
                                                                                                                                                                                                                                          Function 069945C8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 417c4081739f1881268e460330dc29d2f725c779253a1e7935e19fbeb8b01f08
                                                                                                                                                                                                                                          • Instruction ID: 35aae4845fdb71ae71a86527f02399a1b0e95d626eea8603c1fcf0cc0feb759b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 417c4081739f1881268e460330dc29d2f725c779253a1e7935e19fbeb8b01f08
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D21C1353042409FDB05EB6DD85496A7BE7EFC921432940A9E24ADF765DB30EC07CBA1
                                                                                                                                                                                                                                          Function 0699AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;^q
                                                                                                                                                                                                                                          • API String ID: 0-2342212615
                                                                                                                                                                                                                                          • Opcode ID: 80655cc6d4e868b896f9aea36d0397a2f7b901cf64ca3046246b23e782d7001d
                                                                                                                                                                                                                                          • Instruction ID: 31d9bb32d43811a3c50ebc2165fa29e10430dd54dd0bb9002b07a367be70f484
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80655cc6d4e868b896f9aea36d0397a2f7b901cf64ca3046246b23e782d7001d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F1186327042054F9B549AAEA48495BF7DEEFC8668324803BF50EC7B59EE61EC054360
                                                                                                                                                                                                                                          Function 06995F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LR^q
                                                                                                                                                                                                                                          • API String ID: 0-2625958711
                                                                                                                                                                                                                                          • Opcode ID: 87787e33a4ceb502ad16e5da995e2d24a5dae6e2e8e31721345181b20aba6d24
                                                                                                                                                                                                                                          • Instruction ID: 2a645b0beef6a143d94eb664be4a86d06da1728e73b836a9bf6cf3d18d7cd058
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87787e33a4ceb502ad16e5da995e2d24a5dae6e2e8e31721345181b20aba6d24
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C216F34B101189FDB589B69C455AAEBBF6EF88714F108019E902AB7A0DE71AC01CBA5
                                                                                                                                                                                                                                          Function 06995F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LR^q
                                                                                                                                                                                                                                          • API String ID: 0-2625958711
                                                                                                                                                                                                                                          • Opcode ID: 4501b1bb08ccaf3d63d68a5726a261e3148cdb179353269fd1d44f04037b063f
                                                                                                                                                                                                                                          • Instruction ID: 63e23f4c72390459dd4cb990fe87e221aa048803d633ad72367e799432591c5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4501b1bb08ccaf3d63d68a5726a261e3148cdb179353269fd1d44f04037b063f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A219334B101149FDB599F69C455AAE7BF6EF8C714F108019E902EB7A0DE719D01CFA1
                                                                                                                                                                                                                                          Function 06993370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fcq
                                                                                                                                                                                                                                          • API String ID: 0-2768158334
                                                                                                                                                                                                                                          • Opcode ID: 6455010146dba053665343ca383564e8f8fea631fe039c9775c935aaa78dd3d4
                                                                                                                                                                                                                                          • Instruction ID: 3da9ea12e98aef59e00fbb1c88b0f4f4d1c231d75dbb8e83fffd03cafbbff7b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6455010146dba053665343ca383564e8f8fea631fe039c9775c935aaa78dd3d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47118F75B01518AFCB18AFA59854AAFBFBAFBC8640B008029F909D7240DF345D028BA1
                                                                                                                                                                                                                                          Function 06993380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fcq
                                                                                                                                                                                                                                          • API String ID: 0-2768158334
                                                                                                                                                                                                                                          • Opcode ID: e772b4b05a198b13461f7a8e67d4d2a02b1a13b6f1bc0fb2961aaba946d56d9a
                                                                                                                                                                                                                                          • Instruction ID: 9bf5087f823adca0505545b3ea9ed477c887e8b2b722a3df0b17000d69e6ae02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e772b4b05a198b13461f7a8e67d4d2a02b1a13b6f1bc0fb2961aaba946d56d9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E11A535B001186FCB18AFB5985497F7FA6FBC8650B008029FA09D7340DE345D028BD2
                                                                                                                                                                                                                                          Function 069957B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 600686eb313d842889e8188959be0fa3fc3a44a9100813a811d0d98713267e90
                                                                                                                                                                                                                                          • Instruction ID: f6939770afeae3c506dcfe2d15ca3ffb64112319f42342c673546b1e3c00bc9b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 600686eb313d842889e8188959be0fa3fc3a44a9100813a811d0d98713267e90
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0601F7203043414FD705AB3DD85056E3BD79FC611032845B9D04ACBB95DE25EC06C791
                                                                                                                                                                                                                                          Function 069999A8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2b8bd2ff070a0785da821dfc20f73d91b70284739fd45fdf0ea1a1d3e897a5d7
                                                                                                                                                                                                                                          • Instruction ID: 4b95bcc8e62b4f27943a8626b9e5f9b8c85da72c98deef355a9e95b1ec245bf5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b8bd2ff070a0785da821dfc20f73d91b70284739fd45fdf0ea1a1d3e897a5d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27D12934A003598FCF45DFA8C884A9DBBF2BF89300F298159D809AB265DB74ED45CB60
                                                                                                                                                                                                                                          Function 0699BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0d99de6a41ca95152cb7f11316e61e654b8eb9605871c7706e0df7be935c34c3
                                                                                                                                                                                                                                          • Instruction ID: b4b9b5aad3173fc6ee0e1311fc75f4398ed9da2868b1006f56200b9417ff4300
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d99de6a41ca95152cb7f11316e61e654b8eb9605871c7706e0df7be935c34c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92B18934B00601CFDB55EF38D98496ABBF2FF89304B148569E94A8B765DB30EC06CB91
                                                                                                                                                                                                                                          Function 0699BE32 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 956feb12d7e18a7de79e74f393c10860207803aa1a6490cdba03e2b469e388fe
                                                                                                                                                                                                                                          • Instruction ID: 543a745479bdfdf2d6b48af2c8fc56db50f12b65010e9cdbd6268fd5f66d35eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 956feb12d7e18a7de79e74f393c10860207803aa1a6490cdba03e2b469e388fe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF719C74B006018FCB55EF38D9949AEFBF2FF89200B148669E9568B755DB30EC06CB90
                                                                                                                                                                                                                                          Function 0699ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1fa1a61b8b18079206f92fe3ccf4b47021ffdeeaf308dbdf9e42f495ef9156b
                                                                                                                                                                                                                                          • Instruction ID: db4fa61a8bab48565184d5e4257024a8e456f6dc7853c5d931d999fe881e7885
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1fa1a61b8b18079206f92fe3ccf4b47021ffdeeaf308dbdf9e42f495ef9156b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C65116347401118FDF899F2EC49892A77EAEFC961232984A9E406CF775EE31DC42CB60
                                                                                                                                                                                                                                          Function 0699A955 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f84aae1bcab24ae186d93bd7e12336da076b97f805091b71720126e5cbc15d83
                                                                                                                                                                                                                                          • Instruction ID: 21ef90b144520590ce20c46c39eff1f7bdd51ea0c1d70e3e52119d9c7de12079
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f84aae1bcab24ae186d93bd7e12336da076b97f805091b71720126e5cbc15d83
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2661BE2190E3D48FDB03DB2C98A46EA7FB1EF47214F0904DBC0C19B277D6289959C7A6
                                                                                                                                                                                                                                          Function 0699E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 257fb5bceac2de106be3ae13e7ecc92fee98ac16930453e59e0512b8ef33b0df
                                                                                                                                                                                                                                          • Instruction ID: 386c7326a21a7d4047aa756f49107eea05a4a5e7f2c31f1d3131a4498021d0a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 257fb5bceac2de106be3ae13e7ecc92fee98ac16930453e59e0512b8ef33b0df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80618030B002099FDF58EB69D594BAEB7F7BF88614B208429D506DB794DF70AC05CBA1
                                                                                                                                                                                                                                          Function 0699B418 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1077d88fa909f73a116653374fc8956979d9ee3049a4c7a4ee0f1185f65a63cf
                                                                                                                                                                                                                                          • Instruction ID: 13ced9d16015ef892de6a8d23e6360eed846c847c09fdf42c7a168285b42cbff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1077d88fa909f73a116653374fc8956979d9ee3049a4c7a4ee0f1185f65a63cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E951E1325092D48FEB06AF3CA8A47E73F71EF42218F0941D7C4C08B267DA24985BC7A5
                                                                                                                                                                                                                                          Function 06996BF1 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2a2954a18d97371cb0a9f23ec3fb074e80ed3b2b9d728de7bdfb9de03ad78724
                                                                                                                                                                                                                                          • Instruction ID: 0e6d469d75b3044beb9cb02e7745c8f699dc9e23df9b81ccb67cd68896c091d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a2954a18d97371cb0a9f23ec3fb074e80ed3b2b9d728de7bdfb9de03ad78724
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F519E30B002068FDB45DB6DC994AAEBBF2FF84310B258569E855DB3A5DB30ED05CB91
                                                                                                                                                                                                                                          Function 06995482 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 959027e21776dd11f842d35ad16ca0c92581cdf3c528ff62e78310847be9f52f
                                                                                                                                                                                                                                          • Instruction ID: c25b90f51ffcdc30e3d0a3daebcf2920e936a7eac0337c92d8c36afb9b58e51e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 959027e21776dd11f842d35ad16ca0c92581cdf3c528ff62e78310847be9f52f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13513AB4E00219EFDB05EBA4D9546AEBBB6FFC8300F404419E6167B7A4CE316D45CB61
                                                                                                                                                                                                                                          Function 069960D9 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b0d4077981d4b1da55287a91101ec7323bb4d41454bfe41a12545dd5a5ec546
                                                                                                                                                                                                                                          • Instruction ID: 081ec0114fbf827e29e7a3afa18d5adcad4657222e1d3d415787ed1381ea01ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b0d4077981d4b1da55287a91101ec7323bb4d41454bfe41a12545dd5a5ec546
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18512974E002189FDB45EBE4C9A0BDEBFB2EF88300F105429D2167B7A4DE356D45AB91
                                                                                                                                                                                                                                          Function 069934A8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0d7999925850a6c55248a62ec6722209868173ba313869575d8ea02cc6597eef
                                                                                                                                                                                                                                          • Instruction ID: b9cb4c5d09590834573b5a550d7a5877c01e6449d6ef9ddd5a9dff694b6ce8b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d7999925850a6c55248a62ec6722209868173ba313869575d8ea02cc6597eef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD51943431060A9FCB45EB68D96066EBBA7EFC4604B109638D40ADB758EF70FD4A87D1
                                                                                                                                                                                                                                          Function 069934B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40e76fdf36b8cecab56d2a2b3bd2589b1bc829ae0257695bc3a67fa259594395
                                                                                                                                                                                                                                          • Instruction ID: 0dba0b66211a7965ab0e5d1c8796ee3254113de37c07a81b485a98242622300c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40e76fdf36b8cecab56d2a2b3bd2589b1bc829ae0257695bc3a67fa259594395
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E851823431060A9FCB45EB68D56066EBBA7EFC4204B109628D40A9B758EF70FD4A87D1
                                                                                                                                                                                                                                          Function 06995490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d567e7121028350dde1da5ebc61b1adda10c7cf8d342ecc70b8ad22fe923c2df
                                                                                                                                                                                                                                          • Instruction ID: 85c29b52447d7a5f056cf8a476ccc2c9bec48692271ae6ecef33ed4d48e7888b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d567e7121028350dde1da5ebc61b1adda10c7cf8d342ecc70b8ad22fe923c2df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C51F8B4E00219EFDB05EBA4D9546AEBBB6FFC8300F504418E6167B7A4CE316D45CB61
                                                                                                                                                                                                                                          Function 069960F9 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 35820de2264c859238063818b4f95f323b753141a7f62fcc574d228ecacdea82
                                                                                                                                                                                                                                          • Instruction ID: 5101dfc3b746e240e83e069b305a50efe78cd5db47b19a1005971c7b54577383
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35820de2264c859238063818b4f95f323b753141a7f62fcc574d228ecacdea82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4151F774E002189FDB45EBE4C9A0BDEBFB2EF88300F105429D2167B7A4DE356D45AB91
                                                                                                                                                                                                                                          Function 0699B4FC Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91cdede0eb6cfaf6ca37b81c4983a44ea5e2e4bf973466fd77fb14a409fcfb7a
                                                                                                                                                                                                                                          • Instruction ID: 2c54a3032808cbe08e393325807b6d91b837a9034988d8606395eb6b23074b45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91cdede0eb6cfaf6ca37b81c4983a44ea5e2e4bf973466fd77fb14a409fcfb7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D541E4356093948FDB06DF38ECA4BE77F76EF42214F0541D6D4818B263DA34991ACBA1
                                                                                                                                                                                                                                          Function 06991F08 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d9a04d8282606c4f3589470c831599b82b4d603d33d46c923fcfccec404cb746
                                                                                                                                                                                                                                          • Instruction ID: e09e912d4a8672761c040756924af14045df2c9ee31ec39c23a2e2477c1ca5a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9a04d8282606c4f3589470c831599b82b4d603d33d46c923fcfccec404cb746
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D731873270934A7FCF199A6E7821A6F7F2ADB81154B05502BE50ACF641EA245D02D7F1
                                                                                                                                                                                                                                          Function 0699B4F7 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 067c0af4c2de8582e7f054642b98dc6aaba1d8b58868914386e5276b7171b44c
                                                                                                                                                                                                                                          • Instruction ID: daee4a242b1b810cfbc5adb94ecc8a1dc02e964ff39522af63a9cf9bafdb664f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 067c0af4c2de8582e7f054642b98dc6aaba1d8b58868914386e5276b7171b44c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39412835A093948FEB129F38EC647E73F75EF42314F0540E6D8808B263DA34995AC7A5
                                                                                                                                                                                                                                          Function 0699E7C7 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 997db9a657f640758b288ed9f7d375e0cbea7c46b8b3687768bf702b84ad261c
                                                                                                                                                                                                                                          • Instruction ID: 3c21d5b4daa0f179a1fc1d42b9a68090c9d7c99da94a37578bd9fdf68de6acac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 997db9a657f640758b288ed9f7d375e0cbea7c46b8b3687768bf702b84ad261c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D41D031B002049BDF59EB7DD454BAEB7FBBF88614B208428D516E7794DF70AC068BA1
                                                                                                                                                                                                                                          Function 0699C9A8 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 45ef36e93f302647ac893ac742cd95ceae8f461be322008fd9f2b4364ea8c615
                                                                                                                                                                                                                                          • Instruction ID: 039240d92235bf18759f64f727edb8b9ed98da4ca041f4427eb9992b8d730582
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45ef36e93f302647ac893ac742cd95ceae8f461be322008fd9f2b4364ea8c615
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8731BE4244F3E06EEB43AB3C5D705E67F659E5321470A05D3E0D18B4B7D5098A9DC3BA
                                                                                                                                                                                                                                          Function 06992268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 265bf5a9d8cd9d294d987b79fc9b730c2590451854020ba9a0d3bc38d6ed7dd5
                                                                                                                                                                                                                                          • Instruction ID: e0210dfd600f776803a8688111866bdd2b92c931f555c2a86af227b42f9beceb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 265bf5a9d8cd9d294d987b79fc9b730c2590451854020ba9a0d3bc38d6ed7dd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE41EB35B101189FCB94DF69D88099EBBB6FF88710B148169E915EB360EB31DD42CBA0
                                                                                                                                                                                                                                          Function 0699E1E0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25609db24d0bf6e8f1a7666d4a0018cb14740927ca3f7e61287821b05ad09312
                                                                                                                                                                                                                                          • Instruction ID: d439683fd8c8e83a28b5079f746195db40bb41f629ee86510980dcd260c42b38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25609db24d0bf6e8f1a7666d4a0018cb14740927ca3f7e61287821b05ad09312
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9414735E002498FCB14CFA9C58499EBBF6BF89300F288169E805AB364DB70ED46CB50
                                                                                                                                                                                                                                          Function 0699F69B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17297a299459870ceb27a34d386939455874644d7a55f0123a375a53167fe5b6
                                                                                                                                                                                                                                          • Instruction ID: f1248c47f3ae757a7e0f14199265682303389fa0b498fc2c97829584a855e9a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17297a299459870ceb27a34d386939455874644d7a55f0123a375a53167fe5b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8419130B042558FCB55EB78D89496EFBFAAFC9300B144469E546CB365DB34DD0ACB60
                                                                                                                                                                                                                                          Function 0699F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 227d8d67b826261a99c8fc0c92b98be6234057203b7cd0ccde5cccfeb5d7eba3
                                                                                                                                                                                                                                          • Instruction ID: 23bc22b66b6afe6fe069ef9d66b32debd8de785b6c860d199c7d4d7b65988238
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 227d8d67b826261a99c8fc0c92b98be6234057203b7cd0ccde5cccfeb5d7eba3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2041C3307042558FCB55EB68D488A6EFBFAAF89300B144469E146CB365DB74EC0ACB60
                                                                                                                                                                                                                                          Function 0699B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fbc3ae86eda360bcdbce6da455cbb32da554951123a0c75044cceb612475c69b
                                                                                                                                                                                                                                          • Instruction ID: 94c0dfd0c0291e5b0082b37cbead919704656699172e5306aa7ba6d326a4b920
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbc3ae86eda360bcdbce6da455cbb32da554951123a0c75044cceb612475c69b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7319235B001058FCB50CA6DE940A6BF7EAFF84210B14C16AE51DC7759DB75EC01CBA0
                                                                                                                                                                                                                                          Function 06994520 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1bc2a8d5b97492160bf7082bb15abe539200e0902b7190c35752645aa06d281d
                                                                                                                                                                                                                                          • Instruction ID: 9e4f6190750780dc066f107615bf0c08138e6d8bf291b90e9d2961a25bf86801
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bc2a8d5b97492160bf7082bb15abe539200e0902b7190c35752645aa06d281d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D121F6313093915FC713EB7CED60A9A7FE6DF8660070801AAE185CF766CA24ED46C7A1
                                                                                                                                                                                                                                          Function 0699310C Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 85927f221d0eff089ae2abaf6b41e069796f2ca729720103d42748b512beb199
                                                                                                                                                                                                                                          • Instruction ID: e8ea2e4682a5bdb5141ac0384b31211dce27691604707dc906ce8c14c6c82bc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85927f221d0eff089ae2abaf6b41e069796f2ca729720103d42748b512beb199
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC213731656229BFCF822AA86C143FB7F5DDF82220F109063F95897991DE288D45C3F0
                                                                                                                                                                                                                                          Function 0699C558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 52e35374433d156a58f3f53393d3334b86c8cc48014ecc7f977dedf8d495dda4
                                                                                                                                                                                                                                          • Instruction ID: 35c7c5100d8e97dc890e1de1d41be9d72dce555d31459360e5d54fe423429aba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52e35374433d156a58f3f53393d3334b86c8cc48014ecc7f977dedf8d495dda4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1631A135200641CFC721DF28D994926FBF6FF893107188AA8D54A8B766CB30FC46CB90
                                                                                                                                                                                                                                          Function 06991062 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54ba66b12192e13b7935f49df899ec7a083cc6c929813dc1656fbc15c4347acd
                                                                                                                                                                                                                                          • Instruction ID: c8c89f4c12b6b50cb60dc5899918d8a03f6ad3abce3a6d90d61effeac25d6bd0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54ba66b12192e13b7935f49df899ec7a083cc6c929813dc1656fbc15c4347acd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88217C31F04341ABDF15CA7888506EF7FAEEF89210F04406AD407D7681EA34CD02C7A1
                                                                                                                                                                                                                                          Function 069928F8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b55b982a36978d96bb0976b1621725d29b4c0c3387749921454742a81a14fe2b
                                                                                                                                                                                                                                          • Instruction ID: 660e73f30e5fead3f8d39cfcec5224eb3673d685b01ac3964ddfe364a95d8b5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b55b982a36978d96bb0976b1621725d29b4c0c3387749921454742a81a14fe2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5421986145E3C55FC3039B78A8A56E63FB0DF83144B1A40E7D8808B163D919495EC791
                                                                                                                                                                                                                                          Function 0699B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c43852b6df5288df8083738b98364abca49fb96f48f3df6dba08cef4660ea84
                                                                                                                                                                                                                                          • Instruction ID: 6bbc54cb7dca9437b69d50e0d7abd8fb5dc69fbbd3216afd5531e3f5d37b6690
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c43852b6df5288df8083738b98364abca49fb96f48f3df6dba08cef4660ea84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5321F234B00208CFEF549B78E844A6B77AAFB84715F108575E9058B754EF71E946CBA0
                                                                                                                                                                                                                                          Function 043BD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1770695843.00000000043BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_43bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b088b9a4bc6758666e06d26c3f37f52b20cde50aa7f2b2df6e5b62f8d7600e4
                                                                                                                                                                                                                                          • Instruction ID: b049393e6531824976dea8c0c28a7ac9b213231a3ad26c9bbe6f4909ac89c72c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b088b9a4bc6758666e06d26c3f37f52b20cde50aa7f2b2df6e5b62f8d7600e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53214575600240DFDB01DF14D9C0BAABF65FB84324F20C169DE490BA16C336E446CBE1
                                                                                                                                                                                                                                          Function 0699B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c98d537542ea5a00bed84760579bea33dba2235810cb195751640020b77e6d74
                                                                                                                                                                                                                                          • Instruction ID: e1a34cb4b0209d5916f4aeb51a798ea76d9871235252291946f92e04cd51861e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c98d537542ea5a00bed84760579bea33dba2235810cb195751640020b77e6d74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE1166317542014F9B94C61DD490A2BB7DADFD8264724843FA94AC7758EE75EC0183A0
                                                                                                                                                                                                                                          Function 06990D4C Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b103c1437acc059fb32a74e5fdd40e027064bcd47b942cb17422b7be8f3aad37
                                                                                                                                                                                                                                          • Instruction ID: 4473b1c0458fbb9e81f044a4552f162fa3b4df2fd21e08d3e7d94c7127f1c5cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b103c1437acc059fb32a74e5fdd40e027064bcd47b942cb17422b7be8f3aad37
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A115C313043506FD715EB7C58107AB7F9ACFC1620F04446AE64ADB291EE25DC4487E6
                                                                                                                                                                                                                                          Function 069930FC Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63c46325302bb24a393bd9623cc898eb99ac66744740cc828a5146a8f5086182
                                                                                                                                                                                                                                          • Instruction ID: f61e3821e48e380605d6db77f6d869560135fb8676c9e596e7c99d2c2fb868ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63c46325302bb24a393bd9623cc898eb99ac66744740cc828a5146a8f5086182
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11E920B193547BEFA56A7C18143BF2F9E8B82614F1444AAD952DBA82DD94DC0143F1
                                                                                                                                                                                                                                          Function 06992258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 76b2ccb81d60ba8ce7e9caf360e0270080d4e5053f0c3fe338f25f7b01991b9c
                                                                                                                                                                                                                                          • Instruction ID: 0cc629cd9650f3a7382e0dad32211e300190639f60f80b1a48302ec84a373d23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76b2ccb81d60ba8ce7e9caf360e0270080d4e5053f0c3fe338f25f7b01991b9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1211D75E11218AFCB94DF69D88599EBBB5EF8C711B108129E815EB320DB319942CBA0
                                                                                                                                                                                                                                          Function 0699A219 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7d337424ff6345dad7c7535f610b533632d109d848567ef5fa07792fac861d07
                                                                                                                                                                                                                                          • Instruction ID: 327ff8272984855d5cdcbc0f79d23c34ad3afb33c2e244b1daa90dc01359b73b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d337424ff6345dad7c7535f610b533632d109d848567ef5fa07792fac861d07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75116D34A002059FDB54CFAAC984BDEBBF6EB8C710F218015E805AB750CB71ED46CBA0
                                                                                                                                                                                                                                          Function 06993A35 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 268e3e3ce851f6ca0964d5b93a4c6ca39b681e52a0bf31eed9c65c61722b0ff4
                                                                                                                                                                                                                                          • Instruction ID: 7521fa9481f81212a2330fd3fd1ec44deefb6bc97bf25e6cdff62e61c3e2ed8a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 268e3e3ce851f6ca0964d5b93a4c6ca39b681e52a0bf31eed9c65c61722b0ff4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94114230A00109AFDF44DF69D850A9E7BB7EFCC320F148025E41AA7794DE799C85CBA0
                                                                                                                                                                                                                                          Function 06993A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 73b84dbfb10d3e8b5e0f6cf99400c9f1b8e881c08f5531d1054c8bee8067a2ca
                                                                                                                                                                                                                                          • Instruction ID: 506b91383ccd02551fa672fa26c5da8ff307187f8e1cc3ca1976dd517c06e08f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73b84dbfb10d3e8b5e0f6cf99400c9f1b8e881c08f5531d1054c8bee8067a2ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89111234A00109AFDF44DF69D850A9E7BB7EFCC320F149025D416A7794DE799C85CBA0
                                                                                                                                                                                                                                          Function 06991958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1a11ecd1a8d3cd79505380768f39d8467ea6e3f7a2909b17b93c84fb77732639
                                                                                                                                                                                                                                          • Instruction ID: 837a72b9d0935486e34cf7b02484c31f5cd685016c8d6a8dd987347e61548f79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a11ecd1a8d3cd79505380768f39d8467ea6e3f7a2909b17b93c84fb77732639
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8112C35601255AFCB04DF64D498AAA7BB6EF8C320F149019E40BA7690DB795C85CFA0
                                                                                                                                                                                                                                          Function 0699AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bedd9508768df8f7308293dbcb5f7bfa89a0383922de806be77e586914b78cea
                                                                                                                                                                                                                                          • Instruction ID: 2996ffdc7b7263e66a425ecb61971f34bb2b32576fc96d433722bbad13d0d170
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bedd9508768df8f7308293dbcb5f7bfa89a0383922de806be77e586914b78cea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD21DB74E00209DFCF44DFA8D580AAEBBF2EF48310F504499D946A7764DA34AE40CB91
                                                                                                                                                                                                                                          Function 06992998 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 68d71cc5ebce0ab05a1b74b3f360a47e7fd169203a342c73be4ce87c6fa546a6
                                                                                                                                                                                                                                          • Instruction ID: 57c2f88ea8816fd73c0d5c997c05ee6185ee8454feed781e722bc6557b9c5e21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68d71cc5ebce0ab05a1b74b3f360a47e7fd169203a342c73be4ce87c6fa546a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A01F53051A344AFCB02DB70ED51BDA3F71DF42104B1645D7E484EF6A3EA255E0A87E1
                                                                                                                                                                                                                                          Function 043BD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1770695843.00000000043BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_43bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                          • Instruction ID: f8709afb13285366cbff03ad4be0529d24e9c703a319afd60e4c812889f39666
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC11D376504280CFCB16CF10D9C4B96BF71FB84314F24C6A9DD494B656C336E45ACBA2
                                                                                                                                                                                                                                          Function 06991378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 337a44fe53a83893a9c2e4eb7c9bbcb39b90726bde5d5255ec68f806d0e60d35
                                                                                                                                                                                                                                          • Instruction ID: 928c15075977635f92012f6ef481f01070ccf5fd8918340a7947d9587fb0c42b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 337a44fe53a83893a9c2e4eb7c9bbcb39b90726bde5d5255ec68f806d0e60d35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5921F0B0904249CFDB10DFAAC481AEEFBB0FB88324F10802AD859A7250C7746946CFA5
                                                                                                                                                                                                                                          Function 069946A0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f822d2fff786f98545323048d66c90a290d3ad0748d60319a4542e4b763d679
                                                                                                                                                                                                                                          • Instruction ID: f0f437065153f582b9c11b6e3af022021fd6d079cf7f6973d1e35413c149dc91
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f822d2fff786f98545323048d66c90a290d3ad0748d60319a4542e4b763d679
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C11A139706240AFCB02CB9CC844D567BFAEF8A71471600D6F245DF762C6358C06C7A1
                                                                                                                                                                                                                                          Function 06996038 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c48ee177e512b6e214f2f9f2697229f624c6359ae94fb73eaf9da0b530ac839a
                                                                                                                                                                                                                                          • Instruction ID: b86dd14e92cf38f0d4b6bd71ffd3a209e64a253eb772a67950441911be97bec4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48ee177e512b6e214f2f9f2697229f624c6359ae94fb73eaf9da0b530ac839a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6112B31508790DFCB659B2DE8486DBBBF5EF42704B14491ED08647A62CBF4A849C771
                                                                                                                                                                                                                                          Function 0699576F Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4d2b9b90f8f38514bba75952138da7cec5167e3033827ac5107e37df8d568a1a
                                                                                                                                                                                                                                          • Instruction ID: 499f877dbe69387ba5be614d1fdb12a59cb990e88f09ffecb1910512c9d8dc90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d2b9b90f8f38514bba75952138da7cec5167e3033827ac5107e37df8d568a1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D201F9353046005FCB42F768E5905EEB7A6EFC0214750C53AD15ACFA25DB34AC4A8791
                                                                                                                                                                                                                                          Function 06991380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 45a1d23dd94ad202bab40f2fa77ab267e315add8735dc433160e22de29f16300
                                                                                                                                                                                                                                          • Instruction ID: 0cd479a3440c3a1d92a4f20e1c09db6ad0ec20f3826cbe65786facaf1e910e5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45a1d23dd94ad202bab40f2fa77ab267e315add8735dc433160e22de29f16300
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4311E0B1D04249CADB10DFAAC881AEEFBF4FB88324F10842AD459A7250C7746945CFA5
                                                                                                                                                                                                                                          Function 06991968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30c77a4707691d62d504a70d1262863114e5a19e78555a1318675a5971e56f57
                                                                                                                                                                                                                                          • Instruction ID: 7674225d1f5b453e215dbd2d82cd2797a4d2ed28c5a4888bf599b0a2829681df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30c77a4707691d62d504a70d1262863114e5a19e78555a1318675a5971e56f57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33110D35600215AFDB48DF64D458AAE7BB6EF8C321F149419E40BA7390DF799C85CFA0
                                                                                                                                                                                                                                          Function 069946C8 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ceb60482f657a7bc102abc030bece506cb384ebdee508ddd1266e54ba6cc54ad
                                                                                                                                                                                                                                          • Instruction ID: b37af880d05aaf3128c9dfd3dc82d44a9fbb0794033a95e6f7e4d9f00960cc76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb60482f657a7bc102abc030bece506cb384ebdee508ddd1266e54ba6cc54ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF019E74F012089FCF41DBACE8049DDBBFAEB89315F0180A6E509EB754DA348906CB91
                                                                                                                                                                                                                                          Function 0699B920 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f9e4feef34671f50a81f9e0b89049f27b69b5bec37e76cf3eabd5731a2c4fcb
                                                                                                                                                                                                                                          • Instruction ID: 067bd0b73aee7c7bd97dfaa066c0f0f21a101a67bba200e03b1504188f6e14a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f9e4feef34671f50a81f9e0b89049f27b69b5bec37e76cf3eabd5731a2c4fcb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B01A2317452405FDB94CA1D9890B6BBBDADFC9364714407AA84AC7B59DB29DC01C760
                                                                                                                                                                                                                                          Function 0699B070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dabf2a48b186241d88b73234e8f474fcd4e5129cf9295c7856ecf71985aa4254
                                                                                                                                                                                                                                          • Instruction ID: 94c6b76adfa5609cd1cd65240b609cd62b92f06cdcafccab60d9a0173a8e2ed2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dabf2a48b186241d88b73234e8f474fcd4e5129cf9295c7856ecf71985aa4254
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 450126347042418FCB118A699D40A9BFFAAEF89200708C27AE51CCB759DB34D806C7A0
                                                                                                                                                                                                                                          Function 0699182A Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 633be689f28340f3bc5397407fb3639dd839f007364e194dd8a9668c0ef38454
                                                                                                                                                                                                                                          • Instruction ID: 7b2ec985e81f0c1f3ecbf9cb15d957f06604aee3f832092ac93978fe4b626077
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 633be689f28340f3bc5397407fb3639dd839f007364e194dd8a9668c0ef38454
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7701A271A00106A7EB58EAAD98557FF7AABABC8300F24402DE112B7B80DEB14D0197F1
                                                                                                                                                                                                                                          Function 069956C2 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f69d452a3f429e79a3b9c9fa440f60c2bd204b044cb57cc2f1af2fb290fa0cf
                                                                                                                                                                                                                                          • Instruction ID: dc2616a380be175ac263a299ddf4eec7cb9fb67c1448b7907029f1bebb01a08b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f69d452a3f429e79a3b9c9fa440f60c2bd204b044cb57cc2f1af2fb290fa0cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C012F302083806FC306A7799814AAEBFAAEFC2204340056DE14B8F255CFA1AC0A83E1
                                                                                                                                                                                                                                          Function 06991440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e7fbe4bffc1d36c0c6c6290a87c29e084449b9dda9ac74460616d410e547d109
                                                                                                                                                                                                                                          • Instruction ID: 8b7e49bcfbbb46f9b1713ac91258959aa220bcdd003ee9bd6124094fa86c230a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7fbe4bffc1d36c0c6c6290a87c29e084449b9dda9ac74460616d410e547d109
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501D430B0530A5FCF49DF7C64A562A3F99EF8550470518BAC54BCF661F914C846CBA2
                                                                                                                                                                                                                                          Function 0699CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4791998ff77da532de3bb77fd9a75939edb7a2d0486da121dfe45265fe0a26ab
                                                                                                                                                                                                                                          • Instruction ID: f2a51c3ff553e2eb99abe34e5df9d3270e6be2a5e752b7f0275beb0000b75851
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4791998ff77da532de3bb77fd9a75939edb7a2d0486da121dfe45265fe0a26ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7F030767091148F9B949A6DAC94A6FB7FEFBC8975324013AE509C3750DB61DC01C7A0
                                                                                                                                                                                                                                          Function 043BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1770695843.00000000043BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_43bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c0be0534df6256097709b199565b6dbfc3b78425db1dc3ed5f9be31eae86c3e1
                                                                                                                                                                                                                                          • Instruction ID: 06bd2ce2b982053e69ca357114413e067259713675c41cda7391578135423756
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0be0534df6256097709b199565b6dbfc3b78425db1dc3ed5f9be31eae86c3e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001F770108B409AE7104E25D9847A7BF98EF41324F08C52AEE880A946C279A841C6F1
                                                                                                                                                                                                                                          Function 0699858F Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce690783a96e01feeb01124c4b54e39adaa8d23418bfe1b16c6538fef10799d0
                                                                                                                                                                                                                                          • Instruction ID: e1951ddfa09f7eab70265072835c46e62583946901a2ec591b9220b499062174
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce690783a96e01feeb01124c4b54e39adaa8d23418bfe1b16c6538fef10799d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C017872B083008FCB40D76CE9A096A77AADFD621432545AAE546CFB22DB21DC09CB31
                                                                                                                                                                                                                                          Function 043BD006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1770695843.00000000043BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_43bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 93e3198e0bd95961d625d62678fedee880c0907a89e90c9703bb5e4c2c0420f0
                                                                                                                                                                                                                                          • Instruction ID: 3cf2cc0137376ac38516b47d8f07a2caf77995ce62e6b6f27fdb5154305793ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93e3198e0bd95961d625d62678fedee880c0907a89e90c9703bb5e4c2c0420f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68015E7100E3C09ED7128B25D894B56BFB4EF43224F19C5DBD9888F1A3C2799848C7B2
                                                                                                                                                                                                                                          Function 069967E2 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4fed79e93c6c043124f9fe4853b6d949e561d3ad2f0a78eca571980f85ddd44e
                                                                                                                                                                                                                                          • Instruction ID: 0d28c7d8d98232213e927dc34e7de70ca0323bc44bc13e8d5d03b001fc7284c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fed79e93c6c043124f9fe4853b6d949e561d3ad2f0a78eca571980f85ddd44e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77017530E04208FFCB45FFB8D8515DDBBB5EF45204B0055A9D55AEB341DA306E05CB91
                                                                                                                                                                                                                                          Function 06994F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1b28cef0d41a6da26d5f93c64f5cd07d78cd46ea0d8d642c05ea8ebd1d66e308
                                                                                                                                                                                                                                          • Instruction ID: 9e731dce6c34e2eef109d0b57eff7bf6df8a47042a7ed6d04da2e78e183e482e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b28cef0d41a6da26d5f93c64f5cd07d78cd46ea0d8d642c05ea8ebd1d66e308
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72010031640205CFCF01DF68D98099ABBA1EF842187148665E5598F72ADB31ED0ACBD1
                                                                                                                                                                                                                                          Function 0699EA75 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91f204532628ff9887a9b4791f0975c963159c4ad1f9430c73185f6d2953aac0
                                                                                                                                                                                                                                          • Instruction ID: 8457dea0c55e873f5e5c4ea295a17da0bf4f873bff739c20b2f9d57a06e932ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91f204532628ff9887a9b4791f0975c963159c4ad1f9430c73185f6d2953aac0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF0E0357092501FC705965D949099BAFBBAFCD464359006BE109CB363CD599C078772
                                                                                                                                                                                                                                          Function 0699CB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a1260ae15c69c06a8cba06478c9b3a1ee3819c3ee3a0d11142507b903c40ffe2
                                                                                                                                                                                                                                          • Instruction ID: d3709d7e1d454b6823080de4a07bc61c59efc66fd4f47dcea086bc173ae2b976
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1260ae15c69c06a8cba06478c9b3a1ee3819c3ee3a0d11142507b903c40ffe2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0B4767092119FD7418F6D9C94AABBFFAEFC9960315026AE108C7761CB71DC05C7A0
                                                                                                                                                                                                                                          Function 06996769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 832800d3ac4fab34511f4fcb92f8dbf43f7d3b1b5fd376ea1c6f35ec83852d49
                                                                                                                                                                                                                                          • Instruction ID: 3ed87c12833c9394d527b3e2e4c7a3cc893bec85539b4b890a8fe5f71b9e8df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 832800d3ac4fab34511f4fcb92f8dbf43f7d3b1b5fd376ea1c6f35ec83852d49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F018F36B01605CBEF50CB68C68045DF3AAFB84321B608639C01A9B744D736DC46CB91
                                                                                                                                                                                                                                          Function 0699E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d113cb7458d35454d0c68437f6cab9d030c05108e01f3cfaf0f802b73b66b402
                                                                                                                                                                                                                                          • Instruction ID: 1b0b82613872747064e03103ac2f2c732cd8a4eef2a5deca34083184ec8e1887
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d113cb7458d35454d0c68437f6cab9d030c05108e01f3cfaf0f802b73b66b402
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA01F9367106148FDB11D6A8D8517BDB763EFC8710F64841AD6425B784DF70BC0987D0
                                                                                                                                                                                                                                          Function 0699AF00 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 229e145091946e9e701116d740d7e14bca46982452f30d9057e143ecd6a0f39c
                                                                                                                                                                                                                                          • Instruction ID: 642d167492b62781c985eab7e07402a22579448aefa55ad13c51c3b152c83f61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 229e145091946e9e701116d740d7e14bca46982452f30d9057e143ecd6a0f39c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70F0E9317053451F8755466E5C84957BFDEDFC956431480ABF40DCB355E960DC0983B1
                                                                                                                                                                                                                                          Function 06995752 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 00d8a29db4e4b99e1bf7715f7363cd869437472bdbad98ca4cdfd0420e1b7d6c
                                                                                                                                                                                                                                          • Instruction ID: f94fad80f00da667d64584e03d7ea818ff2a2e09d96f62c7335c0939738a0b87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00d8a29db4e4b99e1bf7715f7363cd869437472bdbad98ca4cdfd0420e1b7d6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF0C0313093402FC34777F898105ABFF56EFC2100380416AE24ACF616CE646C0983F0
                                                                                                                                                                                                                                          Function 0699E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbdd06555491412ebf971dc8990b08c225a7ebbb22403c345af17e53cde7b005
                                                                                                                                                                                                                                          • Instruction ID: 63e034092bd58109baed429e64150d4a3d4eb4ed651067deb387fb53db447464
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbdd06555491412ebf971dc8990b08c225a7ebbb22403c345af17e53cde7b005
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1F02836B506144FDB12A6A8D8517BDB363FFC8750F648429D6465B780DF70BC0A87E0
                                                                                                                                                                                                                                          Function 0699A369 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05b0b412aed6b228ca84caa2b10be8b8e0d0dc62b22939b058d626bbcfb7e629
                                                                                                                                                                                                                                          • Instruction ID: 6d89a7e56f7feb5676ef66cec210da11164e2dc815916fc17728a6804cdd3fc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05b0b412aed6b228ca84caa2b10be8b8e0d0dc62b22939b058d626bbcfb7e629
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75F05932509295AFCB174E38DC185D9BF66EF42268B2840CDED450B642DE23A813C791
                                                                                                                                                                                                                                          Function 0699AEBF Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fdb204ce9fd89f4d84964ccb96ff0ed2801197f559c51dd20a7e352f3a041eaf
                                                                                                                                                                                                                                          • Instruction ID: f8442575426cd83801485ad967f35c62c376db59fa7f4173b95e1d10eee00694
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdb204ce9fd89f4d84964ccb96ff0ed2801197f559c51dd20a7e352f3a041eaf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF0271520E3C05FC7435B782C715CB3F62CE8352076545E7E185CB4A7C924582A8332
                                                                                                                                                                                                                                          Function 069968D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9253698551eb2660b71f7305d5ab7227f96ed33818067203654c2ddbe363bf6e
                                                                                                                                                                                                                                          • Instruction ID: d92747faabef45c98ec7a063ec2a99af0503fbbedc32f60e5b8541545482a634
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9253698551eb2660b71f7305d5ab7227f96ed33818067203654c2ddbe363bf6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF09036A04255AFDB06CB58D840D8ABFFAEF8A21031981D6E548CB262D730DA05CBA0
                                                                                                                                                                                                                                          Function 069956D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 926ae0013ab6de48560300fac53aa590222858465b8bd4341a92d7240ddaed4a
                                                                                                                                                                                                                                          • Instruction ID: 2a74d73858ca041a1c07f1ee7b450113a2a3912a17e7bd14e05421ca7db4aeeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 926ae0013ab6de48560300fac53aa590222858465b8bd4341a92d7240ddaed4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7F0A9706006146FD755BBA9D4546AEBA9AEFC13147804A28E25B8F754CFB1BC0A87E0
                                                                                                                                                                                                                                          Function 06996880 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 963459533547d8f50bf49c936935ad05855167f0471c1a69864f677229a44460
                                                                                                                                                                                                                                          • Instruction ID: ff892d6a35dca670d397d4bba156e02c4a8ff5951b1ebcf07328efc1c9059fb2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 963459533547d8f50bf49c936935ad05855167f0471c1a69864f677229a44460
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBF0FE3510E391AFC3228738AC61DC3BFBA9A4761034A42D7E044CB163C624A945C7A2
                                                                                                                                                                                                                                          Function 069967F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b064f7a4018f1ad9980b00807a3c6cc1d3746b9bfa29352fd16d20c9ac2c554b
                                                                                                                                                                                                                                          • Instruction ID: d62a99af7cd855ab21156ffee0be62d446117b59f9d322ba9387b5bd27401e88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b064f7a4018f1ad9980b00807a3c6cc1d3746b9bfa29352fd16d20c9ac2c554b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D011D70E0020DFFDB84FFB8D551A9DBBF6EF84204B5095A9D51AAB340DA306E05CB91
                                                                                                                                                                                                                                          Function 0699C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 715ac1eb67d2cad4a699ad072571d6fce28466099d129e75d09585c4f5f5190e
                                                                                                                                                                                                                                          • Instruction ID: 5c89a68e3cd332d35ebdfcd79c2e3cc99933132f66f0f9bd328ce04849ea80f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 715ac1eb67d2cad4a699ad072571d6fce28466099d129e75d09585c4f5f5190e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF027326093419FC72396385D00AEB7F6ACBC264075902ABD049CB969DA70DD49C3B6
                                                                                                                                                                                                                                          Function 069945B8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4d7761d5b43bf320dbb06ae3f3e2152e3042ad1a807931b424b459eb1ea9052
                                                                                                                                                                                                                                          • Instruction ID: 58a31e8a9e8da580b1e46e7ced53c3b2197019e56f3c6b2620b931d3a075c9c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4d7761d5b43bf320dbb06ae3f3e2152e3042ad1a807931b424b459eb1ea9052
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0B4303042418FCB119B7CD8509AE7FEB9FCA60031805A9E145CB765DB20EC46C760
                                                                                                                                                                                                                                          Function 069938B0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eb4b350cc0c7c18e4b2cf524d75767e52b359fe67a7b176cf2540d806115b0fc
                                                                                                                                                                                                                                          • Instruction ID: 4166f66cc58a7f24797c343d58e49ead8dea44b0bfd28f3240cf4be183fe5867
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb4b350cc0c7c18e4b2cf524d75767e52b359fe67a7b176cf2540d806115b0fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62F0E520B2D3583BEFA5156C5D003AB2E8D0B83B14F110077D891CBA92DAC4D80083F2
                                                                                                                                                                                                                                          Function 069957A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f80ab8a2f810e2471725b8ca50e8bd46d8a8191c0d9b28a41b08bf19da8b5a2b
                                                                                                                                                                                                                                          • Instruction ID: fab40c1dd0fdbcbebf87fd792b93cc18a1c37e2a4c85387d02f72a8fb2913783
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f80ab8a2f810e2471725b8ca50e8bd46d8a8191c0d9b28a41b08bf19da8b5a2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EF05E353043518FCB12DB6CD99099A7BE69FCA21031945AAE14ACBA65DB20ED45C7A0
                                                                                                                                                                                                                                          Function 0699C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9c3e8a76419c739670c59c15c1788d232ef0b051919ad0dba485a1a26a54251c
                                                                                                                                                                                                                                          • Instruction ID: 02345fb9b458a6f64cef68a00ac498186a4706e1803701c7a64b65033f8cbb44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c3e8a76419c739670c59c15c1788d232ef0b051919ad0dba485a1a26a54251c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F0E5357102128FDB54D679ED00566B7DEAF882A031891B5DA08C7B38EE71DC02C790
                                                                                                                                                                                                                                          Function 069936A9 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 08d1ad017e1620ece2b6a8ffafb7ff7f83fa83b69e930532b6a682ed1fa862bb
                                                                                                                                                                                                                                          • Instruction ID: e9298235f76fec1515f8abcf784d71182acc550747d63fc62b7f8ccd66eca578
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08d1ad017e1620ece2b6a8ffafb7ff7f83fa83b69e930532b6a682ed1fa862bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F030B5E02119BF8F84DFA89D012EBBFF4AB48551B104969D919D7600E3714A018BE0
                                                                                                                                                                                                                                          Function 0699AB90 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3512a182b51d75c56c0dabfd91a436cccb80ba461b4730559f32f07c9ed65681
                                                                                                                                                                                                                                          • Instruction ID: 519d10d1211995e446bb7906af9a3fe52ec22228c062dc55e196eb8602862fb5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3512a182b51d75c56c0dabfd91a436cccb80ba461b4730559f32f07c9ed65681
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F0EC313043149BD7149B3A9884957BBEBEBC9661B1440F9F50AC7351CA15CC028650
                                                                                                                                                                                                                                          Function 06991431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a582dce3ec34ff5a0aa05598c8525a97f1715f3a68bab024910b3c29ac7bea82
                                                                                                                                                                                                                                          • Instruction ID: 5b8cf40a67ccef2ca8fd636ee7dc3f03542d27b61b93ee8968ad0c67fcd8005d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a582dce3ec34ff5a0aa05598c8525a97f1715f3a68bab024910b3c29ac7bea82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61F09030B4020A5ECF4CDF7C91A562A3F9AFFC4608B0518A9814B8F661F924C842CFD2
                                                                                                                                                                                                                                          Function 06994560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07f661828942f9f753486cc46d2aa67b71f6ce7cb767e996ca28876b47bcccbe
                                                                                                                                                                                                                                          • Instruction ID: bef8d5169964fd404c8af818a798c8f57fcae71b792343ddfc3407afc9e67796
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07f661828942f9f753486cc46d2aa67b71f6ce7cb767e996ca28876b47bcccbe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2E02231300A102B8626B2AEE80065FBACAEFC4660340443CE21FCF704DE20FD8A43E9
                                                                                                                                                                                                                                          Function 06993CFF Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55fc562f99cb6ed169a5a00b849e4e67cf05d21ba733525d51d5409d491d0f65
                                                                                                                                                                                                                                          • Instruction ID: 54d3729ef2ce8217315aa53a57ad6dc9349b1f82bed48173cef29fed3d3c777a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55fc562f99cb6ed169a5a00b849e4e67cf05d21ba733525d51d5409d491d0f65
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F0203090A148EFCB02DFB8E962A9A7BB1DB4120430041EBE409CB761C6309F04C7A2
                                                                                                                                                                                                                                          Function 0699C1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2a1942e3be5895ccf7366db24f38095dacc42bb030d3c8ff0c5890eefe6d20c7
                                                                                                                                                                                                                                          • Instruction ID: 4dc39a2d5e44bfb5dbd292fe8297d1c4b2d98a6f51559ed2419e4f89d6b190ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a1942e3be5895ccf7366db24f38095dacc42bb030d3c8ff0c5890eefe6d20c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE022342053009FC302B7A8A8646DF3FA7EFC6318304011AF6868B750CA747D0A8BA0
                                                                                                                                                                                                                                          Function 0699C678 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3281ae7ed35a74dda3d77c521cf224d1c1b914be012dae801ccf6b9bd87b29a6
                                                                                                                                                                                                                                          • Instruction ID: 4815e251fb92a3d49d86a16955fc70891f8af66071a5221b4907e7071ba86100
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3281ae7ed35a74dda3d77c521cf224d1c1b914be012dae801ccf6b9bd87b29a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4E020366093439BC71556759D00493FF6E9F4525431853E6D94087229DE35D843C3F1
                                                                                                                                                                                                                                          Function 06996AAF Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d091b090432010f36fad5414f5ef89213854c023327310ce9b394b5577aa57eb
                                                                                                                                                                                                                                          • Instruction ID: e8872281e3c125459be4642ad6dfa39c87a80e877c8b90083f0bedff2c97e0f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d091b090432010f36fad5414f5ef89213854c023327310ce9b394b5577aa57eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF06D353052509FC302CF9CD980C827BF5AF5920031681A6E888CFB62C321ED16CB60
                                                                                                                                                                                                                                          Function 06993CC0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d22d87240d3fab9d8d4d51e610780e6542bfa6946612c2ec89d70ac71540ddc
                                                                                                                                                                                                                                          • Instruction ID: 456ffe5671688310c19bff6deffe839f59f13b878d3f4519b2aa1563e35328eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d22d87240d3fab9d8d4d51e610780e6542bfa6946612c2ec89d70ac71540ddc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AE020363092A04FC74356EC24644FA7F77CFC6511309019FE785CB791CB145D0683A2
                                                                                                                                                                                                                                          Function 0699CAC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 228e3e5e8c0af90d7ef5ed39f1c8e023dbfaf20d9a47ce6d9b3854fd7145b6b5
                                                                                                                                                                                                                                          • Instruction ID: 58e5c9adad246dc6a105c7a1dda72e571f4648dea450efc6829d91edd3cecf42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 228e3e5e8c0af90d7ef5ed39f1c8e023dbfaf20d9a47ce6d9b3854fd7145b6b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82E0171514F3E09FCB07AB7C5DB44D77F2A8D8322430901C3E0C18F0A3C549AAAAC2AA
                                                                                                                                                                                                                                          Function 06993C89 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 84b98c3b91a0dc1dbeb40e6406ab2283301a05cbcf45056aebe4dcbde55551ea
                                                                                                                                                                                                                                          • Instruction ID: 271d7179daf8a7724a82b735fc3b1855793d2b362d44a2416ab7470bba6439e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84b98c3b91a0dc1dbeb40e6406ab2283301a05cbcf45056aebe4dcbde55551ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E0862075A6A49FCF455A7D68205E63F66868155531805EAE64ACBA42D202881487A0
                                                                                                                                                                                                                                          Function 069936B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: 4a0f1840fbc09ebef43fbe260e9f3db5aa80008006e93bb9b133d34311af17dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01E01270E0021ADF8F90DFAD99011AEBBF8AF48140B208569C519E7600E3319A11CBE0
                                                                                                                                                                                                                                          Function 069917F0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 550642bdb73296909b048140be608e6de130ce55138609420d800e14843626d4
                                                                                                                                                                                                                                          • Instruction ID: fe0622e8c47423d17e349d24b67c9819db022a75b7d56eb18ac9594da9998aa2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 550642bdb73296909b048140be608e6de130ce55138609420d800e14843626d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DE02B3210D1546FC7466B20E8534E57F79DB6A12030540A7F851CBA61DDA20E12C3E0
                                                                                                                                                                                                                                          Function 069921E8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c51e637d61687b96a86b43f636650eb83b3f93a70153bebdd8dd976908f90485
                                                                                                                                                                                                                                          • Instruction ID: 50119e931d8274c3120b5685d73759631311e01eb61261fea466282f138a3b2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c51e637d61687b96a86b43f636650eb83b3f93a70153bebdd8dd976908f90485
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CE08C3401F3C0AEC74787748474B91BF60EF03215B6A80EEC8898F8A3C25B549BC322
                                                                                                                                                                                                                                          Function 0699C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20a699aef0388da30b99ddb0c02b81041633ff6ecf42bb117211657e1f99988f
                                                                                                                                                                                                                                          • Instruction ID: 6eeb4534530d89ddc1c7d3846363a9a0ba9c59ea81f356c4e65feb0b40cb974d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20a699aef0388da30b99ddb0c02b81041633ff6ecf42bb117211657e1f99988f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94E0C2312007145BC3147798E00859E7BDAFFC5768B40042DE64B87740CE71BD4A8BD4
                                                                                                                                                                                                                                          Function 06996AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32a4b02f685e9de119f623710f88ef7bc20bdff8ea4619447d79145e95336664
                                                                                                                                                                                                                                          • Instruction ID: 9e1a8789fd1abe286b88222c72e6063bbde5077cd78b778052e8cc5429169d9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32a4b02f685e9de119f623710f88ef7bc20bdff8ea4619447d79145e95336664
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6E08C313002048FC300DF8CD880C81BBE9EF58210315809AE889CB712C722EC02CBA0
                                                                                                                                                                                                                                          Function 06993CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 267caf97ce81ab0c7e0c1c8aedab10f9b36185fced3e4b466344ddcc3582a5a1
                                                                                                                                                                                                                                          • Instruction ID: ed4c43067c37e5975e2a505cd6bf7b3f3197e4d2bddb8249894eafa6da18d29e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 267caf97ce81ab0c7e0c1c8aedab10f9b36185fced3e4b466344ddcc3582a5a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D05E3A300520170B85359E741456E76AFCFC5965314012AEB0AC7740DE515C0243E5
                                                                                                                                                                                                                                          Function 06993938 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 177e16cba49d92c851d285168241c52773ffc2bad2c41417fa2a24f6d0bd67f9
                                                                                                                                                                                                                                          • Instruction ID: 580ebf4473cf598371b0779e911657166b583810e8f3728f068e3881afa03c44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 177e16cba49d92c851d285168241c52773ffc2bad2c41417fa2a24f6d0bd67f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDD09712F4B350ABCB4152B828183DA3F0DCB42928F0241D7EA1A9BA02E8798C0103E0
                                                                                                                                                                                                                                          Function 069946D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f6866b3bf90ad9f4e4cececb6a6d162fd7f267e6d324413a5cba8bc7e57ca902
                                                                                                                                                                                                                                          • Instruction ID: 91494f113c9c5429baa9f3d2c4f78b713aac1e54e474d8ad9e3c7ad940f69c4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6866b3bf90ad9f4e4cececb6a6d162fd7f267e6d324413a5cba8bc7e57ca902
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7E0B674E0420CAFCB44EFE8D54459DFBF5EB48300F0081EAE809E7354EA345A458F81
                                                                                                                                                                                                                                          Function 06992220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 229e047b4960233077fdba72c3a87cd04114b21c6ef5cf96a1e7a20904053c4a
                                                                                                                                                                                                                                          • Instruction ID: 97a7014288e39bed4073aa6b19809f00a8e0fc8253acdba7caba2d1837b22a87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 229e047b4960233077fdba72c3a87cd04114b21c6ef5cf96a1e7a20904053c4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6D0A9306A030D29FFD8A2A8680233A328C6B80A28F700019EA2D08DD08DB91580C2B0
                                                                                                                                                                                                                                          Function 06990C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63c8b745728dc66396063d828b96c89d807851edb120d2cc2f63b07d414f64e7
                                                                                                                                                                                                                                          • Instruction ID: eef6ee427d84212eee8477865c926e6463347ef67d66057f0d304d6a8f644f6a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63c8b745728dc66396063d828b96c89d807851edb120d2cc2f63b07d414f64e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2D0A73222001C6B5B58A61DD88687ABB99E7953613108437F903C3664DD60AC4087E5
                                                                                                                                                                                                                                          Function 06993D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af1495f23a062f95d8d038d1f597b9b677c80fc4a8e6a788e2951df0dd97892c
                                                                                                                                                                                                                                          • Instruction ID: 6bb9d8c2ed7a4f5c2429a4f2e0494f6f179c3d596c867d6390cdff9e460f014d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af1495f23a062f95d8d038d1f597b9b677c80fc4a8e6a788e2951df0dd97892c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86D05B30A0110DEFCB40EFB4E90165DB7F9DF44204B1041A9D509D7340DE316F009790
                                                                                                                                                                                                                                          Function 0699E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 920787198a5d7838a2b29343f6392c9eb2f0bf49a11a6c3ca479be459265de09
                                                                                                                                                                                                                                          • Instruction ID: a449601ed12589f67e1b33290fd34a0edb4458f362a649486642fa2037a7fadf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 920787198a5d7838a2b29343f6392c9eb2f0bf49a11a6c3ca479be459265de09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DE0EC30A1460ACBEF54DFE0C555AAE7771BF44709F204818D401A6644DB74890BCF91
                                                                                                                                                                                                                                          Function 06992968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3a0ad23b6282e2653d530574f878bc279518dc1e7e9ff84c99439c29e69b92c4
                                                                                                                                                                                                                                          • Instruction ID: 357ac0f14b298dbe65a827ac48d4132c3847708e23c146c95fc637acace5c152
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a0ad23b6282e2653d530574f878bc279518dc1e7e9ff84c99439c29e69b92c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D05E7090120DDFCB04DFB5E94195DBFF9EB44204B2086A6D408D7210EA305E04CB80
                                                                                                                                                                                                                                          Function 06993C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d401e06ca7985632c39a757469e6fdfc7e468c471dcb96d08ff9b9fa833609f8
                                                                                                                                                                                                                                          • Instruction ID: 75d8b345bcf19a0794f07ad1aa91d3da7c0e1cd00370379b8d5caa1eb2faedb7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d401e06ca7985632c39a757469e6fdfc7e468c471dcb96d08ff9b9fa833609f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DD01230724609CFCF98EF68E55593577EADB8860531488ACAD0FC7741EF22ED02C694
                                                                                                                                                                                                                                          Function 06990440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 171eb170f7ab0b66bab7c7cb60dd3b601ba38a0b357295a200943bd8b6981af6
                                                                                                                                                                                                                                          • Instruction ID: 90757771b4692ef4212be3f685df9f0918bd9e2e7d6cba5b0f611e301efc7ca4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 171eb170f7ab0b66bab7c7cb60dd3b601ba38a0b357295a200943bd8b6981af6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64C08CB2E942008FC304CE4800886E633A1EF30222B84C0BAC8040A010723A50B7E830
                                                                                                                                                                                                                                          Function 069946B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 392a7d71edc88bdac3e9b046a4d3f9ff63df7b40e2746672ed512890196ace15
                                                                                                                                                                                                                                          • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 392a7d71edc88bdac3e9b046a4d3f9ff63df7b40e2746672ed512890196ace15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0699F7E8 Relevance: 7.6, Strings: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1770057389.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6990000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq$,bq$,bq$Hbq$`]cq$`]cq
                                                                                                                                                                                                                                          • API String ID: 0-2072144370
                                                                                                                                                                                                                                          • Opcode ID: adbf8f0cca889928854f1a6c28b5119a10805c0d99d4fa83b8f38c2878290e13
                                                                                                                                                                                                                                          • Instruction ID: d6760137e121b501f112914d5560ce28e354fde7cd3abbd5282cf7477c400630
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adbf8f0cca889928854f1a6c28b5119a10805c0d99d4fa83b8f38c2878290e13
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40412831B141248FDB98AB2EA45446E77EAEFCA76133404AAD107DBBA1CE21DC01C7E5

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 070E50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 496169957046bff822b7676046edf927cdc60b210d29da52fde20b6a2dca0b4b
                                                                                                                                                                                                                                          • Instruction ID: 834d7f2b91f241cba3f6bf313a859002ee11daf81b65ba87b916074594d7152e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 496169957046bff822b7676046edf927cdc60b210d29da52fde20b6a2dca0b4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19B13DB0E0020ACFDB54CFA9CC8579DBBF6AF89318F248629D815E7394EB749855CB41
                                                                                                                                                                                                                                          Function 070E59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1b776718391bc5024e42b69439866659c9ff704430e68d2b21ad3c4058a860a1
                                                                                                                                                                                                                                          • Instruction ID: cf8b63eb78ea6dd21d563c07aa823a0948bb0e48926ea07b64e4cc232706ead0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b776718391bc5024e42b69439866659c9ff704430e68d2b21ad3c4058a860a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6B162B0E0020ACFDB50CFA9CC9179DBBF6AF88318F148A29D455E7354EB749895CB91
                                                                                                                                                                                                                                          Function 070E1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $^q$$^q
                                                                                                                                                                                                                                          • API String ID: 0-355816377
                                                                                                                                                                                                                                          • Opcode ID: 060888ba1586fc45ae4dc583ac2cb8e23e701eb1888f8c458bc3eb6596254c2f
                                                                                                                                                                                                                                          • Instruction ID: 74a04cd9c59999f60d693a9daa188598222977003590f6a84a4d5c4b405907b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 060888ba1586fc45ae4dc583ac2cb8e23e701eb1888f8c458bc3eb6596254c2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4751D3B1B002099FC715DF78D8406AEBBFAAFC9350B14827AE805DB364DA309D42CB91
                                                                                                                                                                                                                                          Function 070E1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: 131222dd64d48d6243664e33e56a45a92b641e46f1417b62738ab5a570da4885
                                                                                                                                                                                                                                          • Instruction ID: 2d186e189a09b409ac55ccebc9c4a449825ac9dcf8f12a3376cbed346875e620
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 131222dd64d48d6243664e33e56a45a92b641e46f1417b62738ab5a570da4885
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0071D275B00218DFDB049BB9C8547AEBAEBAFC8300F148169E506EB3A4DE75DC428751
                                                                                                                                                                                                                                          Function 070E0C1C Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                                          • Opcode ID: c19d84ea78f1f38197b4f594be5f504d00ab84359c4af20d3e532b8c402a9d52
                                                                                                                                                                                                                                          • Instruction ID: 57cfc76edfb62e0024329625ce2d514b83a314959efaa0bc681a179b79495096
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c19d84ea78f1f38197b4f594be5f504d00ab84359c4af20d3e532b8c402a9d52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6851F478A05258AFDB049B68D4547AE7FFAEF89310F14842AD406E7381CE799C05C792
                                                                                                                                                                                                                                          Function 070E50AD Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5e1e308f428586e625b3ad9e06e0ad0b450273ab901c1cf7ff6b867cf1195036
                                                                                                                                                                                                                                          • Instruction ID: fc71fd18759ed02f81acd220b2cd4016a1fb672307cba006f473800c26db8705
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e1e308f428586e625b3ad9e06e0ad0b450273ab901c1cf7ff6b867cf1195036
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DC14AB0E0020ACFDF50CFA9DC857DDBBF5AF48318F248A29E814A7250EB749855CB91
                                                                                                                                                                                                                                          Function 070E599C Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ace05aefa757bd42763ce71e594b6f388664a300e6c5019e27b55bd45ecc33b6
                                                                                                                                                                                                                                          • Instruction ID: ef9844768a7973dab7ea416cccceceec1ec7ae704a878ef7bd489cf4fc69853b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ace05aefa757bd42763ce71e594b6f388664a300e6c5019e27b55bd45ecc33b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7B16EB0E0020ACFDB50CFA8CD917DDBBF5AF48318F148A29D855E7294EB749895CB91
                                                                                                                                                                                                                                          Function 070E2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56ddc11d183639b9dc6fee360b33a373bf5c3c71f5526aeaad8adda473a7811c
                                                                                                                                                                                                                                          • Instruction ID: b1eda56e981b7b389f6c50df807ff762e39ff00d3529364a67e57016ea7e64e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56ddc11d183639b9dc6fee360b33a373bf5c3c71f5526aeaad8adda473a7811c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3441F775B111189FCB54DF68D88499EBBB6FF88710B10816AE905EB360DB31DC42CB90
                                                                                                                                                                                                                                          Function 070E1072 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ebf2055700ca9d6ca7a5f2d4ba060fe971a3c10ec06fc2661b19d33a8e8c370c
                                                                                                                                                                                                                                          • Instruction ID: 5a269e24fd696d37bb11ec690283acad05f6d4e728ec20abdc9ec4a8695f6d24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebf2055700ca9d6ca7a5f2d4ba060fe971a3c10ec06fc2661b19d33a8e8c370c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C21129B6B112189FDB148BA598507FEBBEEDFC8250F04457AD906D7340DE74CE068792
                                                                                                                                                                                                                                          Function 070E2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb2156e9859d649d08a422438541e9cb17a767ebf59263f60b738bd98efeacf9
                                                                                                                                                                                                                                          • Instruction ID: 4370d3d99907b8bc9a5c5b0020c9eb14cc8794688beee57897f09d8433e93492
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb2156e9859d649d08a422438541e9cb17a767ebf59263f60b738bd98efeacf9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5011A375B005198FCB94BB7C54251EE7AEAAFC8751B10067AD50AD7344EF34CA028BD6
                                                                                                                                                                                                                                          Function 070E2258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 345c8134341d5db498bb19fb00942fb1f49698030b0d655cbcece1286831b36c
                                                                                                                                                                                                                                          • Instruction ID: c0898f0c5f9455361a3c87f61d9ab453d4b653702940c1d7e25528fcf7ac5777
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 345c8134341d5db498bb19fb00942fb1f49698030b0d655cbcece1286831b36c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21111AB5E111189FCB44DF78D4849DEBBB5FF4C710B10812AE815EB320DB719941CB90
                                                                                                                                                                                                                                          Function 070E1958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3c1fe36ef482ecb93887373027541739c22ab6e0a99052b18f79cae9279bd626
                                                                                                                                                                                                                                          • Instruction ID: 56b605d36b814dd2d5eeb18a956a9cbb64f77b7c1d84a9ea469852cf0bbf6539
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c1fe36ef482ecb93887373027541739c22ab6e0a99052b18f79cae9279bd626
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06112E79A01115BFCB04DF64D499BA97FB6EF8C321F14401AE40AA7390CF79AC45CB91
                                                                                                                                                                                                                                          Function 070E1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3fbd124ff7597d77ce46973f29e340d1eb9629936f6a2b0b2460630e689b4b39
                                                                                                                                                                                                                                          • Instruction ID: a07a8978da8e75b6b31b1d0e68ec53a40992f07fd8969916058b1d32f8327866
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fbd124ff7597d77ce46973f29e340d1eb9629936f6a2b0b2460630e689b4b39
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D52113B0D002098FDB10DFAAC480ADEFBF4FF48324F10852AD559A7250C7756946CFA5
                                                                                                                                                                                                                                          Function 070E1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f1cd6c3f5d8ed0f78ff11b1c89fdb7501f7df1f029a93e482e770ae186dc80a
                                                                                                                                                                                                                                          • Instruction ID: 3348a322df122f244a06322525fb1ce75c31e328f29f3036e8c05d66d2186af8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f1cd6c3f5d8ed0f78ff11b1c89fdb7501f7df1f029a93e482e770ae186dc80a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D1106B1D042498FDB10DFAAC480ADEFBF4FF48324F108529D559A7250C7746945CFA5
                                                                                                                                                                                                                                          Function 070E1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71f7b032a1ff78813cbae228c5bcdb5d0a7085163d4da37fbd480b5f7ecc65eb
                                                                                                                                                                                                                                          • Instruction ID: 2ec3d2e84e86e34fb2e0fd34d9fbde20e4708d6f62799f4dd6232743485c374a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f7b032a1ff78813cbae228c5bcdb5d0a7085163d4da37fbd480b5f7ecc65eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77111F79601115BFCB04DF64D498BA97BB6EF8C321F14401AE40AE7390CF79AC45CB91
                                                                                                                                                                                                                                          Function 070E2B08 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56ab87c1265ba6f81692d8a76d3db1717947e91040c6a2fe9548dea0d0d49dd8
                                                                                                                                                                                                                                          • Instruction ID: f26852f8ae12bf75b4d19801b7a2cc9b980212dac38a6b12197f09dd8efec359
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56ab87c1265ba6f81692d8a76d3db1717947e91040c6a2fe9548dea0d0d49dd8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A201B5B5B006158FCB54AB7894252EE7BEABBC8751B15063AD409D7340EF34C9028BD2
                                                                                                                                                                                                                                          Function 04B1D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1776119871.0000000004B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B1D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4b1d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dccdaf7e71f1d615c4c5c8383aff00fbfee7497d836fc7be0f2b8790a2921ec5
                                                                                                                                                                                                                                          • Instruction ID: 3b59e5974306611e49b62c576a076ecf6730eaf368c447bde7364e29cf1e69f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dccdaf7e71f1d615c4c5c8383aff00fbfee7497d836fc7be0f2b8790a2921ec5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C01806140D3C09FD7124B259C98752BFA8EF43224F1984DBD9888F1A7C268AC45C771
                                                                                                                                                                                                                                          Function 070E1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a72540f5841df827840a687978b624501a51b2da737b99f32ace2183f422e2b9
                                                                                                                                                                                                                                          • Instruction ID: 82bc8b3c25148cf4330a6c335e60390e5adec8f102016538478e3d9b8ec974f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a72540f5841df827840a687978b624501a51b2da737b99f32ace2183f422e2b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1501F7F8A4A20A5FCB4D9F78A4B53263FEDDF8150470509ABC549CF261F928D80683C2
                                                                                                                                                                                                                                          Function 04B1D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1776119871.0000000004B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B1D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4b1d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5f2d9e3e22779098d14f60aebcb11284787896bd3315917d4ff04d47578e32fc
                                                                                                                                                                                                                                          • Instruction ID: 82b0aa55af0b0e029d812e5f65df03afed37eb65666fbe67b6de0c682671e868
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f2d9e3e22779098d14f60aebcb11284787896bd3315917d4ff04d47578e32fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D01F7715083009AE7104F39D9C8767BF9CEF41324F18C5AAED484A296C379F841C6B1
                                                                                                                                                                                                                                          Function 070E2A68 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c3a28be75a7cfb83790b879cf1be7c6e128b59d22fe2b31df2c71a31a26e5474
                                                                                                                                                                                                                                          • Instruction ID: e8c6158fc557db2141e79f5a209ac692d575ab2f681f44d0f518aade0d81187b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3a28be75a7cfb83790b879cf1be7c6e128b59d22fe2b31df2c71a31a26e5474
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C018F7AB112118FC705AF78D4096AE3BF1EB89715B20043AD919DB350EB71D943CBC1
                                                                                                                                                                                                                                          Function 070E182A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb96f984eac6ddc86803ca27ffa849ec0423fcf441efaf06d8a73d597f8271cc
                                                                                                                                                                                                                                          • Instruction ID: 8f3d94427321239babd11ccdea712846c90c30a595334a796c86bb4bf94fef97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb96f984eac6ddc86803ca27ffa849ec0423fcf441efaf06d8a73d597f8271cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301D6B5A001099BEB18AB68C5557EF7AFA9BC8304F25412DD005B7380CFB54C018BD2
                                                                                                                                                                                                                                          Function 070E2997 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ef228b0ac20d49342a583d74eb79ffc7ecff73e2707baa5a978cb5f2afd5300
                                                                                                                                                                                                                                          • Instruction ID: b6ba1bc2fd4d45760083e38f9a8e5027ef53637e3cf6318bf3c18c4fc79b3785
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ef228b0ac20d49342a583d74eb79ffc7ecff73e2707baa5a978cb5f2afd5300
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11F0FCB53022019FEB086B74E9447597B96EF40310B04457EE109CF394EE72D8864BD0
                                                                                                                                                                                                                                          Function 070E2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f594bf1f12b09f478bb43d2d85b4892e76631a9acefc3879322bc37f3168862f
                                                                                                                                                                                                                                          • Instruction ID: be85997e685fb62c5eff4cbc99da1e086dfa0dd8ab7f923cd00d2f3bc44fc12e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f594bf1f12b09f478bb43d2d85b4892e76631a9acefc3879322bc37f3168862f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D016979B10215CFC704EF78D4096AE3BF5EB89715B10006AE909DB350EB719942CB81
                                                                                                                                                                                                                                          Function 070E29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6e1ef7abffded11c6f1f6266ce50825c394d83ca7dade2a1ff11c40f7a73b849
                                                                                                                                                                                                                                          • Instruction ID: c6a3521a906700fde240fe489d9ef63f7137661e72612c79e5adb48ec3d78ab3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e1ef7abffded11c6f1f6266ce50825c394d83ca7dade2a1ff11c40f7a73b849
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2F0BB703013014FEB18AB74D9047593B9AEB40314B04467DE5098F354EF72E8444BD4
                                                                                                                                                                                                                                          Function 070E1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d033bacbed3bc011398e979e52d0047d18e253686e8c0bbffeaa73293c84dbb
                                                                                                                                                                                                                                          • Instruction ID: f7e9ed5a6cade779f2869fc9b1cb1cb8f01994e1689889ca190ea790f722e296
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d033bacbed3bc011398e979e52d0047d18e253686e8c0bbffeaa73293c84dbb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F090F8A4520A5FCB0C9F78A5A53263FDAEFC1514B04096A81498F360F938D80287C3
                                                                                                                                                                                                                                          Function 070E2A20 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 34de2f7decbf92988e93c5b1bcb3c187a7ca20cfafa294c70db613d90d8ea3a3
                                                                                                                                                                                                                                          • Instruction ID: c7654a9a32fe0e2d452ed761abc35b92142b99ebc46ccf624e24fca161140849
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34de2f7decbf92988e93c5b1bcb3c187a7ca20cfafa294c70db613d90d8ea3a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCE086B27575659FCB151AB1B4043AE3BDCAF86672B0A4166E40AC2180EA0ECD834385
                                                                                                                                                                                                                                          Function 070E2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53a8e187e0a049173efb5a2533e8e6e35a9b77362804a9603ac4cb17d772da07
                                                                                                                                                                                                                                          • Instruction ID: 1b0b3e4e3fbdfe46356fd01fca62a2fee13e251b147810d2af9ef581ac39ffea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53a8e187e0a049173efb5a2533e8e6e35a9b77362804a9603ac4cb17d772da07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1D05B713479298FDA1415B674143BE35DCEB42661B494125F41AD2280DF4ECD424395
                                                                                                                                                                                                                                          Function 070E17F0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 120b1aca3dccb10c437428209c992a4cda628b8156fcb02cb401162b4a748015
                                                                                                                                                                                                                                          • Instruction ID: f18bec0aa011e0089df6bbb61cf3d5db40b9d98d33e1961b67bb9736e35ff827
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 120b1aca3dccb10c437428209c992a4cda628b8156fcb02cb401162b4a748015
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D097B3268128AFC308F788F4096A57FAC9F06221F04003BF801833A1DCB12C91CBC0
                                                                                                                                                                                                                                          Function 070E2959 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af66bb78ddaaf80765866c56490e12dc14749420036adf3d18d09f600a788eac
                                                                                                                                                                                                                                          • Instruction ID: 8181875d8876845e2a5a4080980e15ac778f5875207a4f62cbbaf18e1b2df591
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af66bb78ddaaf80765866c56490e12dc14749420036adf3d18d09f600a788eac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE08CB1C16108AFCB04DFB4E98165DBFA4DF08304B2145ABD408D7321EE329A168781
                                                                                                                                                                                                                                          Function 070E5EB0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c200793825aec58efdf99dd1c0abe401ab51dd32eeb57ffdfd0cf0725ab64afc
                                                                                                                                                                                                                                          • Instruction ID: 9760502bf2eff0debf9b29b0c2139ce9c281401d31a616ee8cf9e5efaa45da74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c200793825aec58efdf99dd1c0abe401ab51dd32eeb57ffdfd0cf0725ab64afc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6D05E716542209FDB04A728E4506943BB5EB4A72AF1100AAE10A8B366DA9A9C0247C9
                                                                                                                                                                                                                                          Function 070E0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 077bd87d160c5a4172e3179bb07f404d77cfcfba67c98f1dc97c7fa7fbb0ba9a
                                                                                                                                                                                                                                          • Instruction ID: b8ace84cb36b07aafeb8415847c0a27f07ce275208f5dadec893e2e5132a7437
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 077bd87d160c5a4172e3179bb07f404d77cfcfba67c98f1dc97c7fa7fbb0ba9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81D0A7313501205FD604535CD85097D739DDB8A71DB00086AF20AC7324CD51EC000689
                                                                                                                                                                                                                                          Function 070E0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8582b1830df932b5adc554d66240de40610a27847c11e1c0c5f0cf81b6418c81
                                                                                                                                                                                                                                          • Instruction ID: f688bf81e7e4a521b1d63a36296af8fe6a442ebda63f3555638b7b1a7b199839
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8582b1830df932b5adc554d66240de40610a27847c11e1c0c5f0cf81b6418c81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8D0A77226002C6F5604771CD88596EBBAEE7892607104433FA0283324CD70AC458796
                                                                                                                                                                                                                                          Function 070E2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c218d74c0ed696b25ed0e6e14dd291ab2e22bd0acc033ae6e8011589aeef830
                                                                                                                                                                                                                                          • Instruction ID: 62aec9d6b382c4530b7edbda1c66492f05a3b5efad8e1ee783405c6863cfdfff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c218d74c0ed696b25ed0e6e14dd291ab2e22bd0acc033ae6e8011589aeef830
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0D05E70901209DFCB04DFB9E945A5DBFF9EB44204B2096A7D408D7310EA306E04CB80
                                                                                                                                                                                                                                          Function 070E0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1775542121.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70e0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 04d7cafa5ba32fd0942c104704a2c5e679262f6c7772aa4669d72c78a5f0f6a9
                                                                                                                                                                                                                                          • Instruction ID: 0946165810e4b6876543694080d0491c5e97ccc13d9936511ce2df787811d071
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04d7cafa5ba32fd0942c104704a2c5e679262f6c7772aa4669d72c78a5f0f6a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CC04CF2E94640DBF6084A4495456E57360F771327B88813BC14444514626D51579510

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B340C1D Relevance: 1.2, Instructions: 1196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a01de542d993dbe6b14cf3571ad296f306aebcf2499d4cea512702527d473ca
                                                                                                                                                                                                                                          • Instruction ID: 456531b67ca7e4f1513e26e40221230c1218b42c4eec811d46994a65fbf74ef6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a01de542d993dbe6b14cf3571ad296f306aebcf2499d4cea512702527d473ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBA22B70A1991D8FDBA9EF18C8A4BA8B7B2FF59304F5040FDD41DD7295CA35AA81CB10
                                                                                                                                                                                                                                          Function 00007FFD9B34187E Relevance: .7, Instructions: 652COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bc03267f7ef69ae5b346f12fdbd6cb58cecd1ecc2954c9d5ae54873eb8ff2f3d
                                                                                                                                                                                                                                          • Instruction ID: d7fab5b728850753a86a220f8dce5718a8dfda625d98f90038c58c13f5569a1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc03267f7ef69ae5b346f12fdbd6cb58cecd1ecc2954c9d5ae54873eb8ff2f3d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD323D30E09A1D8FDBA5EF68C8547A9B7B2EF5A700F5140F9D00DD72A5CA75AA81CF10
                                                                                                                                                                                                                                          Function 00007FFD9B34C922 Relevance: .5, Instructions: 461COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea4bd9d2fb7a7de4070f6b27c8986a10372b94150b44f45645c420dc13c607f0
                                                                                                                                                                                                                                          • Instruction ID: 362a3be363ec7672491616aa569f739e29a72e4306f70c0bab481cb622b55080
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4bd9d2fb7a7de4070f6b27c8986a10372b94150b44f45645c420dc13c607f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FE1C430A09A4D8FEBA8EF28C8657F977D2FF54310F44426ED84DC72A5CE74A9458B81
                                                                                                                                                                                                                                          Function 00007FFD9B341E7E Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0acd8fc069cf8b3c3617034e4c83cf71513c57d5d87f4e6137b0728ba031569a
                                                                                                                                                                                                                                          • Instruction ID: 0a1993f01019cdad515a20b806bcf9b221a2c7019e092ac1891dfc5032047172
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0acd8fc069cf8b3c3617034e4c83cf71513c57d5d87f4e6137b0728ba031569a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E512D30A09A2D8FD7B5EF6888947A9B7B1EF59700F5144F9D44DD72A1CA356E81CB00
                                                                                                                                                                                                                                          Function 00007FFD9B341E88 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 555ad2f49c0a83670b8c9ea72b6d10fb29343d676e2b5c19f8b1a3fc83e20f58
                                                                                                                                                                                                                                          • Instruction ID: 95eff9fe48e1bfc273d8902f6845ee04ff769e79162198df70884faf93166d1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 555ad2f49c0a83670b8c9ea72b6d10fb29343d676e2b5c19f8b1a3fc83e20f58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81412A30A09A1D8FD7A5EF68C8A57A9B7B2EF59700F5140F9D40CD72A1DA356EC1CB40
                                                                                                                                                                                                                                          Function 00007FFD9B341EB6 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aabe211d9a04f59c74482a457108c1a2577392377746886934495b0d3e5bab15
                                                                                                                                                                                                                                          • Instruction ID: b96c3a68124bedaccac3327cd9463fa7d60eabe15052e99a94c019c725a32563
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aabe211d9a04f59c74482a457108c1a2577392377746886934495b0d3e5bab15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1410A70A09A2D8FDBA5EF2888947A9B7B1EF19700F5145E9D00DD32A1CA35AF81CF00
                                                                                                                                                                                                                                          Function 00007FFD9B347627 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: E
                                                                                                                                                                                                                                          • API String ID: 0-3568589458
                                                                                                                                                                                                                                          • Opcode ID: 593d99a5d9162d7b0c7ee27b82ced989428e7281fcf3b52d5c88cefb331180fd
                                                                                                                                                                                                                                          • Instruction ID: 8644423e61a86ae8c87df0b2585bbbfe4587814e4c2b6b7d242dd7345024c925
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 593d99a5d9162d7b0c7ee27b82ced989428e7281fcf3b52d5c88cefb331180fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF81F421A0E98D8EE755EF6C98255B87BE2EF4A310F5402FBD808DB1EBDD252942C351
                                                                                                                                                                                                                                          Function 00007FFD9B348265 Relevance: 1.7, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^
                                                                                                                                                                                                                                          • API String ID: 0-1590793086
                                                                                                                                                                                                                                          • Opcode ID: d13fb613fde3871df17290510011d14f42be5c91947d88069d512887f921a2d6
                                                                                                                                                                                                                                          • Instruction ID: 4f03c175d4413fe48c239d966ca32f27de26b5441b57edc540dc952f3af12997
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d13fb613fde3871df17290510011d14f42be5c91947d88069d512887f921a2d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51020D70A0991D8FDB99EF68C4A4BA8B7F1FF59301F1541AAD04DE72A1DB35A981CF00
                                                                                                                                                                                                                                          Function 00007FFD9B34596C Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: M_^
                                                                                                                                                                                                                                          • API String ID: 0-3807191693
                                                                                                                                                                                                                                          • Opcode ID: 6d403cf1d46d0a30a5d6e954aa0398ded0690cf2ba34d2456631d5088b93661f
                                                                                                                                                                                                                                          • Instruction ID: 49f385ef476b26b97b20adea3c603150fbdd70b02a0648f3f0276e3da6aa49e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d403cf1d46d0a30a5d6e954aa0398ded0690cf2ba34d2456631d5088b93661f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5C13922F0E64A4FD325FB7898611F877E0EF42325B0902FFC489CB4E3E919654987A1
                                                                                                                                                                                                                                          Function 00007FFD9B430853 Relevance: 1.0, Instructions: 951COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1858267210.00007FFD9B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b430000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 09f0a0af19b20fd58cbc78e09860b42bcb25f0cc37f639cc5685aeb405766bf7
                                                                                                                                                                                                                                          • Instruction ID: dd99ea455dc63f0f703217918fee30e04076d8b4a7e4e76a40568f4ac23e8db4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09f0a0af19b20fd58cbc78e09860b42bcb25f0cc37f639cc5685aeb405766bf7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BF1F720B0DA4D4FE7689B2C98257787BD1EF9A714B1902BFD48EC72E7CD14AC428781
                                                                                                                                                                                                                                          Function 00007FFD9B340C89 Relevance: .9, Instructions: 921COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ac5d15761fbb05959c54f250b520ba9ebeb043056a1682a712b09360c00f1c9
                                                                                                                                                                                                                                          • Instruction ID: 8e6054635cbb677bb3f434a6a8b335061e5a52e11a7b1cddfea7b28ec2d71a05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ac5d15761fbb05959c54f250b520ba9ebeb043056a1682a712b09360c00f1c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09822A70A1991D8FDBA9EF18C8A4BA8B7A2FF59304F5040FDD01DD7295DA35AA81CF10
                                                                                                                                                                                                                                          Function 00007FFD9B34B679 Relevance: .4, Instructions: 415COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eef9fcd9b84c967b4c8e8d77c94df6c041cc3754e39875900dd5078461c9d127
                                                                                                                                                                                                                                          • Instruction ID: 8ba1ace391b5145b9adf68fe4f9ec90999f9199aece7037448ba049b5a9762d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eef9fcd9b84c967b4c8e8d77c94df6c041cc3754e39875900dd5078461c9d127
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06D1B630A08A8D8FEBA8EF28C8557E977D1FF59310F04426EE84DC7295DB74A9458B81
                                                                                                                                                                                                                                          Function 00007FFD9B342FFA Relevance: .4, Instructions: 362COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c5065b07f0133ca1adb20f98f000c5f84e56ffc8f214bf0b426d6a92da1eb15d
                                                                                                                                                                                                                                          • Instruction ID: c256fb80d888fa085bc3deeb1336207dc5edaceac72f83dde6c969ad0eb366b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5065b07f0133ca1adb20f98f000c5f84e56ffc8f214bf0b426d6a92da1eb15d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16B10816B0E1654AD311B7BCF8B15F97BA0EF42339B0841B7D9D98F097DD18608A87A4
                                                                                                                                                                                                                                          Function 00007FFD9B34673A Relevance: .4, Instructions: 360COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 380b104e102d8953d277750680a0e9f7c9e7686f5d0aec4c6845e25c2fde96b7
                                                                                                                                                                                                                                          • Instruction ID: 9d9f215dddf9314654308fcb0c617501e8e25b856fe1289697815ce4e730d572
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 380b104e102d8953d277750680a0e9f7c9e7686f5d0aec4c6845e25c2fde96b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6C15D71E0EACE4FE7A5EF6888256A53BE1EF15350F0541FEC459CB1E3ED68A9058340
                                                                                                                                                                                                                                          Function 00007FFD9B34C536 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 44149aa246fafe2559aa6f10c58edf0aa0ffd5c33becef6bc6ff3a31be3ba828
                                                                                                                                                                                                                                          • Instruction ID: 6bd7713975bc91a324edccef0417b39c6ea988c9eb81a9017729d729339addf0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44149aa246fafe2559aa6f10c58edf0aa0ffd5c33becef6bc6ff3a31be3ba828
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54B1B330609A4D4FEB68EF28C8657E93BD1EF55310F44426EE84DC72A6CB74A9458B82
                                                                                                                                                                                                                                          Function 00007FFD9B34D7BE Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: adb750a65eb5bd134cb537315a335af62ad5a60aa9c004f16fd847a132e9a03a
                                                                                                                                                                                                                                          • Instruction ID: 708b95b4733da8bd99e9b06a551522c7c1fb91a544c66257baaf258fecc2a5e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adb750a65eb5bd134cb537315a335af62ad5a60aa9c004f16fd847a132e9a03a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CCB1B270A18A5D8FDF94EF58C894BA8B7F1FF69301F1141AAD00DE7266DA70AD81CB41
                                                                                                                                                                                                                                          Function 00007FFD9B343368 Relevance: .3, Instructions: 311COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 27d4a7ab7e148935e448558f402bbd5230258af0e31605d530818f5661109695
                                                                                                                                                                                                                                          • Instruction ID: ca9e9dc18e5ea4f03a369cd2f50674f2f77317e55c9a9677dc58b7d958483a2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27d4a7ab7e148935e448558f402bbd5230258af0e31605d530818f5661109695
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56B16D30A0DA5D8FDBA5EF68C4647A9B7B2FF59300F2141BEC00DD7295DA35AA81CB41
                                                                                                                                                                                                                                          Function 00007FFD9B341B2F Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e89c80e6587d9a666c86176395c8c302142f16c049b866af4ebf97eb93f3a253
                                                                                                                                                                                                                                          • Instruction ID: d21b77515c86b889a3c0bc694f9f1d5025d4f7c8eacaa06874795ee3721ee778
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e89c80e6587d9a666c86176395c8c302142f16c049b866af4ebf97eb93f3a253
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2A13930A0962D8FDB65EF29C8947E8B7B2EF5A301F5040E9D04D972A5CA75AE85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B4300D6 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1858267210.00007FFD9B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b430000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91890ca54e13e6ee4ddf983e3e2af06c3e0e1e84e19a260363208420e138c34f
                                                                                                                                                                                                                                          • Instruction ID: 2fb156f33831904414cc670f63559de13f1d1de74f8faaeceb455f0461d007c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91890ca54e13e6ee4ddf983e3e2af06c3e0e1e84e19a260363208420e138c34f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0351B67171CA0C4FDB58DB1CD895A7977E1FF99714B0602BAE48AC32A6CE25EC028781
                                                                                                                                                                                                                                          Function 00007FFD9B34946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e02ffc0663807264b41005ec5da39f3ab7bf5f1d1bd98813312d4a90c4295737
                                                                                                                                                                                                                                          • Instruction ID: 2bcf24778b8896441520b21c0d88b32605b9457b44814ff78fedf7d29fb6d41b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e02ffc0663807264b41005ec5da39f3ab7bf5f1d1bd98813312d4a90c4295737
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26519530918A0C8FDB68DB58D855BE9BBF1FF59310F0082AAD44DD3256CE34A9858F81
                                                                                                                                                                                                                                          Function 00007FFD9B4304DE Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1858267210.00007FFD9B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B430000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b430000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67c50aab3381279b59689cd0683e459a394ebba3db6ad51fd1df12efb5e0fd6e
                                                                                                                                                                                                                                          • Instruction ID: 3ffb69cbabd4324ef6971f9285b14822991330584d269a49619162dfb2d61cb7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67c50aab3381279b59689cd0683e459a394ebba3db6ad51fd1df12efb5e0fd6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41412722B0EBC90FE792D77C48A66653BE1EF9A61430902FBD089C72B7D814AC079341
                                                                                                                                                                                                                                          Function 00007FFD9B3463FB Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70bfc331beb48b8224996947e42dc929213defb3793e20384155199cfcaf97fa
                                                                                                                                                                                                                                          • Instruction ID: bde0192d119f013d0282a23b2291652c3ad5b97edc3d2129b220690a54cfcb45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70bfc331beb48b8224996947e42dc929213defb3793e20384155199cfcaf97fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC411425B0EA8E4FDB95EF6CD8615E937A1FF56310B0246BAD458C71E6CE34AD02C340
                                                                                                                                                                                                                                          Function 00007FFD9B34E6D9 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4a6d5d2adb58586d830d642c267560dbb7c295b60e749a5b36cddcce66a01b7d
                                                                                                                                                                                                                                          • Instruction ID: 2b236e914701332603f092016ae38533ed43945c5cca83ff0eb3389e319d847b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a6d5d2adb58586d830d642c267560dbb7c295b60e749a5b36cddcce66a01b7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68410C34A0951D8FDB98EF98D8A0AFDBBB2FF59310F15046DE00AE7291DB35A941CB50
                                                                                                                                                                                                                                          Function 00007FFD9B347A45 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: acfbf3c8155d47af95131ed2154af547980b75fa167dc9995b938239669f46f1
                                                                                                                                                                                                                                          • Instruction ID: 16263ccf0463f15c298557bfa5d6633e5492d9601b2e706ee6ce80536cc7f91b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acfbf3c8155d47af95131ed2154af547980b75fa167dc9995b938239669f46f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4417130A0964DDFDB55EFA8C4606EDBBB2FF5A300F1500BAD448DB2A1CA39A945CB50
                                                                                                                                                                                                                                          Function 00007FFD9B34D1FC Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 927eb4b1d616b644e88bbf650899dc12ced4df644bca74c1ea7e70b9db4f7572
                                                                                                                                                                                                                                          • Instruction ID: 1862917b65d3978bc60f5a1770c81af6b6b85d06e64ac3d66933045f5bfde241
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 927eb4b1d616b644e88bbf650899dc12ced4df644bca74c1ea7e70b9db4f7572
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9731B330E1991DDFDB98EFA8C464AACB7B2FF59301F51007AD409D72A5DB39A981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3482F8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67e24335ada2d467257e21b106d1c9b13ceaf8a477a887b4cbb99b2012365194
                                                                                                                                                                                                                                          • Instruction ID: 0ebfa478c1e45bbfd0b27f80ba199ffd881a2510a30b3c8139e1d5fb608464ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67e24335ada2d467257e21b106d1c9b13ceaf8a477a887b4cbb99b2012365194
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0312D70A09A4DCFDBA8EF68C4617A8B7B2FF59340F5541AED00DE72A1DB355A81CB00
                                                                                                                                                                                                                                          Function 00007FFD9B347C51 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9f355e43ea6903b41682a8b09039ffd5d977887e5219f3e6c3e6137ea564add
                                                                                                                                                                                                                                          • Instruction ID: a38293fbf49b57df5e576f350ff04a17a38a50715b20d914957310f99577c76b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9f355e43ea6903b41682a8b09039ffd5d977887e5219f3e6c3e6137ea564add
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2731C430A09A4DCFDB51DF68D8506AD7BF2FF5A700F1441ABD408DB2A2DB35AA41CB50
                                                                                                                                                                                                                                          Function 00007FFD9B344EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30b1ea46acb7ba07849b6f3fe0692c417abd8a9e4a5d1d48455468d61f70489c
                                                                                                                                                                                                                                          • Instruction ID: 183ed2cf81014ef48fdd588d4118b5848c0911120a63e6dd01236895c7943a3e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30b1ea46acb7ba07849b6f3fe0692c417abd8a9e4a5d1d48455468d61f70489c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7521E232A0EA9D0FD715EF68E8714E67BA0FF45220B0543BBE499C71A3CD649906C751
                                                                                                                                                                                                                                          Function 00007FFD9B347DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7251a8eaa1773f7e9365f1450a74541a4fbbfce3c8e334abd7a7f298832fec92
                                                                                                                                                                                                                                          • Instruction ID: cf1e6d90127267c04af63eecaf91ad4c77ce3b49078d75ea2bbd665afec9beed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7251a8eaa1773f7e9365f1450a74541a4fbbfce3c8e334abd7a7f298832fec92
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E215E30E19A5D8FEB94EFA8C855AEDBBF1FF59304F04007AD408E7291DB34A9408741
                                                                                                                                                                                                                                          Function 00007FFD9B34483D Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eb8cacb0fc297b6efb3041086bfb4e099f92560e8e00654d94f3af20dcb6934f
                                                                                                                                                                                                                                          • Instruction ID: 1cbe2f94283cf7b11315e15ffd0787e074459330cda2bbaaa96b29d0577017de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb8cacb0fc297b6efb3041086bfb4e099f92560e8e00654d94f3af20dcb6934f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3112F32A0A6CD4FD720FF6898B01F93B91FF55214F0505BAD85CC70E3ED2965458741
                                                                                                                                                                                                                                          Function 00007FFD9B3449F1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0098de15da5d764ec39f999b805c95c439203b72094adf35949aa6d62d584159
                                                                                                                                                                                                                                          • Instruction ID: b67d5134b0fe1a5be387e8448c60501b84b4539687e6f4b31850b0832b949c18
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0098de15da5d764ec39f999b805c95c439203b72094adf35949aa6d62d584159
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8111303020AA4DCFD794EF28C460A9577A2FF4A304BA644BDD40CCB296CE36E942C700
                                                                                                                                                                                                                                          Function 00007FFD9B343B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ca57cf8639e8e81d037c3848865739986a13fd29ca2dfd4190fd41636510084
                                                                                                                                                                                                                                          • Instruction ID: 3f7dc31b94aec29a7da1c20ee07a8e7564553b837679acdff218036ea0140b7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ca57cf8639e8e81d037c3848865739986a13fd29ca2dfd4190fd41636510084
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF11AC31E0C60D8BDB14EFA8C4656FEBBB1EF4A310F0202BAE109D71D2DE7865448B41
                                                                                                                                                                                                                                          Function 00007FFD9B34D132 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b403c3fd0211881ed648cd22d46b09038caffc151941b61c5afb24221314b98
                                                                                                                                                                                                                                          • Instruction ID: 2098fcedda4c3095e602582c3d5433cb3b59ecfe849a0946fee33e5bbdde3c48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b403c3fd0211881ed648cd22d46b09038caffc151941b61c5afb24221314b98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF119230A1991DCFDF94EFA8D494AECBBB1FF59341F5501AAE009E7261CB35A841CB10
                                                                                                                                                                                                                                          Function 00007FFD9B346E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1857915816.00007FFD9B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B340000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b340000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: c25dba0ede91079c123f53791389d5a2314911f4017c1c462dcba45bfc91c4c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89A00242BCF46E01D5A4B4DD78620D8B245C785271BC669B6ED0C8415A989E1AD60285

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B57FE91 Relevance: 23.0, Strings: 17, Instructions: 1799COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ("g$("g$0"g$0"g$8"g$8"g$@"g$H g$H g$H g$H"g$x6e$x6e$x6e$x6e$x6e$!g
                                                                                                                                                                                                                                          • API String ID: 0-22571849
                                                                                                                                                                                                                                          • Opcode ID: a980f908a1d6e9854e9a9292d3fef5741e343d77e95ab7019dd8f22a5c440f95
                                                                                                                                                                                                                                          • Instruction ID: 5aff862577662c3b26596beec91dd87321a65fb53ad768ce6b7d05446a209f3e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a980f908a1d6e9854e9a9292d3fef5741e343d77e95ab7019dd8f22a5c440f95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CD29230B1994E8FEB99EB5884A5AA973E2FF98304F5541B9D00DC729BDE34FC428741
                                                                                                                                                                                                                                          Function 00007FFD9B360C58 Relevance: 12.4, Strings: 9, Instructions: 1188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 7e$(7e$X7e$x6e$x6e$x6e$x6e$x6e$6e
                                                                                                                                                                                                                                          • API String ID: 0-3247933658
                                                                                                                                                                                                                                          • Opcode ID: 3b1e06269017cbb911ddc03508c70ae4807b44b13ad9526eb9d2625e3abba1cb
                                                                                                                                                                                                                                          • Instruction ID: 0544a36f2ef9814b3f19a2fbce5ce67f80d0e034740583c970a0d975d0618b12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b1e06269017cbb911ddc03508c70ae4807b44b13ad9526eb9d2625e3abba1cb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFA23B70A1951D8FDBA9EF18C8A5BA9B7A2FF58304F5040FDD01ED7295CA35AA81CF40
                                                                                                                                                                                                                                          Function 00007FFD9B364C41 Relevance: 9.1, Strings: 7, Instructions: 367COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: [e$ [e$ [e$ [e$([e$([e$[<L_^
                                                                                                                                                                                                                                          • API String ID: 0-2420151054
                                                                                                                                                                                                                                          • Opcode ID: 57c4b0110964c71aeb5bb13790cc60f61eb335d46c81b1758c246acca4e075cd
                                                                                                                                                                                                                                          • Instruction ID: 8ea1a96ef143119cba4d1eeef5d558b4876794dd0801dbfd897baae26a0b41b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57c4b0110964c71aeb5bb13790cc60f61eb335d46c81b1758c246acca4e075cd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DC1AE70E0960E8FEB64EF68D4AA7A9B7A2FF59304F11017DD00DD72A6CA746D45CB40
                                                                                                                                                                                                                                          Function 00007FFD9B57E48D Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^*_^$x6e
                                                                                                                                                                                                                                          • API String ID: 0-2120124779
                                                                                                                                                                                                                                          • Opcode ID: f6b5e01b9782b53e03722c7f57669dddd30a0fb5e4cb3767158e23cb4716129c
                                                                                                                                                                                                                                          • Instruction ID: 32ec43fcdd11ea2df6fd91412ef78ad76ea14c97ef0efd1a233564c666cf37b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6b5e01b9782b53e03722c7f57669dddd30a0fb5e4cb3767158e23cb4716129c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96728B21B0E78A0FE796ABB894B55F57B90FF52314B0841FAD48DCB1E7DD24B8468780
                                                                                                                                                                                                                                          Function 00007FFD9B571FDB Relevance: 2.1, Strings: 1, Instructions: 860COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8e
                                                                                                                                                                                                                                          • API String ID: 0-3185754544
                                                                                                                                                                                                                                          • Opcode ID: ce192a0e4d9a4db8194f4cbbfeb4f98bd632644a7360fb22ae8f85a04b6de9b5
                                                                                                                                                                                                                                          • Instruction ID: fd0f895f415667939af2d5a3b2d3f26485450938e80be7ce5b1621bcc9f013f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce192a0e4d9a4db8194f4cbbfeb4f98bd632644a7360fb22ae8f85a04b6de9b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D142B030B1EA494FEBE9EB6C84A9B7573D2EF99300F0500B9E44DC72A7DE25A841C741
                                                                                                                                                                                                                                          Function 00007FFD9B37C910 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a73fa827a06351d9ea5e4a3e54b490c55e0ac60db0b680eacaadc89672a94fda
                                                                                                                                                                                                                                          • Instruction ID: a4c01882ed384a55c29b1b8f369b581a768a9c452868bd25c76bc08a928c123f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a73fa827a06351d9ea5e4a3e54b490c55e0ac60db0b680eacaadc89672a94fda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84B1B271B1994D8FDFE4EF6CC495AA93BE1FFA9350B05017EE409D32A2CA24E941C780
                                                                                                                                                                                                                                          Function 00007FFD9B3663B2 Relevance: 9.1, Strings: 7, Instructions: 301COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (8e$08e$88e$@8e$H8e$x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-139734412
                                                                                                                                                                                                                                          • Opcode ID: 6ac87f3748c6e6350b7fcf9769a38d73248913b727afe0f91a9deb12a83ada29
                                                                                                                                                                                                                                          • Instruction ID: bfe68f761eb186071a9a678f9875b013ee53e726be2920fe333e45bf92d88920
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ac87f3748c6e6350b7fcf9769a38d73248913b727afe0f91a9deb12a83ada29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EA13870E0961DCFDBA8EB58C4A67ECB6B1FB59340F5181BDD00EE7291CA746A85CB40
                                                                                                                                                                                                                                          Function 00007FFD9B5758D3 Relevance: 8.3, Strings: 6, Instructions: 821COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8 g$8 g$@ g$@ g$x6e$*_^
                                                                                                                                                                                                                                          • API String ID: 0-2853540062
                                                                                                                                                                                                                                          • Opcode ID: b6d1664a9ce989af8098e118dee97e7f803811d80ddf86242ba6b21754c35c15
                                                                                                                                                                                                                                          • Instruction ID: 1dc1d93bb88535195ab0e6b98c091a494450071ae70dbc79cd7905869dd3d09c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6d1664a9ce989af8098e118dee97e7f803811d80ddf86242ba6b21754c35c15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22420671B2DB8A8FE7A9EB5894A4A65B7E1FF98300F150079D44DC32A7DE34F8418781
                                                                                                                                                                                                                                          Function 00007FFD9B576ECC Relevance: 5.9, Strings: 4, Instructions: 881COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: -8_H$x6e$x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-794209389
                                                                                                                                                                                                                                          • Opcode ID: a3cd7316f5dbc476e4440e6dba7ccf2ad35a49dcb4e2ef8b2c89ce8753de0a31
                                                                                                                                                                                                                                          • Instruction ID: a6ef26e360d585705ed82a93c11a393bf634f5990431d3b345c47210858d26c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3cd7316f5dbc476e4440e6dba7ccf2ad35a49dcb4e2ef8b2c89ce8753de0a31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B52A230B1DA0E8FEBA9DB58D4A5A6577E2FF94304F6141B8D00DC72A6DE25ED42CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3673E1 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: [e$[e$[e$[e
                                                                                                                                                                                                                                          • API String ID: 0-1682458028
                                                                                                                                                                                                                                          • Opcode ID: 039553d3931cddd0bf090f2962fcd825e2a0f893c7105290e293bdc595fad514
                                                                                                                                                                                                                                          • Instruction ID: bdaba9851851a515fadf7290ea15a49d3c6f6c4b3607f52128f9c81766ef0941
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039553d3931cddd0bf090f2962fcd825e2a0f893c7105290e293bdc595fad514
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13B1D970E0961DCFDBA8EF98C4A5BADB7B1FF59300F5141A9D01DE72A5CA34A981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B37FA19 Relevance: 4.0, Strings: 3, Instructions: 296COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: He$`e$xe
                                                                                                                                                                                                                                          • API String ID: 0-2430223407
                                                                                                                                                                                                                                          • Opcode ID: e67e51fc27e22a4963cc59d71d36a05ca968edb895b0e97384240c7ecb943ab3
                                                                                                                                                                                                                                          • Instruction ID: dd2c690468bc493cf81ecc29d4cd6374c0d3e0890e40a11f92ab61cef4885d41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e67e51fc27e22a4963cc59d71d36a05ca968edb895b0e97384240c7ecb943ab3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76910671B1998E4FDF94EFA884A56A977E1FF68300F0501BAD409D72A6DE34EC02C740
                                                                                                                                                                                                                                          Function 00007FFD9B36EA00 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: e$@e$H
                                                                                                                                                                                                                                          • API String ID: 0-274754732
                                                                                                                                                                                                                                          • Opcode ID: 05e440f3ee497b67f230c6bd1c75eb57d47206ee480656056bcfeea09a058ea5
                                                                                                                                                                                                                                          • Instruction ID: 84f9ff39c9ca278bf2c0bd3e4ff5612939bbf48aa94e9103b931b41555828ee2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e440f3ee497b67f230c6bd1c75eb57d47206ee480656056bcfeea09a058ea5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A715622B0FE8A1FF766E6AC94752A53BD1EF56650B1500FFD089C71E3D9246C468382
                                                                                                                                                                                                                                          Function 00007FFD9B380281 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: e$!J_H$0e
                                                                                                                                                                                                                                          • API String ID: 0-3406692173
                                                                                                                                                                                                                                          • Opcode ID: a18ce4bedd6a435de38bcff344af82634db1192977da975c9b463897cbbd3ce9
                                                                                                                                                                                                                                          • Instruction ID: fe3216e67cefec4e2c9e95e13fc147029356e44b410385aaace63ac504d69283
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a18ce4bedd6a435de38bcff344af82634db1192977da975c9b463897cbbd3ce9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47614A61B1ED8A5FDB95EBA848B12B537D2EF99714B0501BED09CC7297DD246C028382
                                                                                                                                                                                                                                          Function 00007FFD9B3680DD Relevance: 4.0, Strings: 3, Instructions: 208COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X[e$X[e$`[e
                                                                                                                                                                                                                                          • API String ID: 0-294956105
                                                                                                                                                                                                                                          • Opcode ID: 5102d5b6facfc30f37f5a7500bbaa2a429f405e92f077d47adf6574e68ea8266
                                                                                                                                                                                                                                          • Instruction ID: e13dcef7bca36d1ec9f05e5b2db8143b73a033ae952621039aa9559438460d75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5102d5b6facfc30f37f5a7500bbaa2a429f405e92f077d47adf6574e68ea8266
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71813C70E1961E8FEB64EF58C8667EDB6B1FF59304F50017ED00DA32A6DA781A84CB41
                                                                                                                                                                                                                                          Function 00007FFD9B365B6A Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e$x6e$6e
                                                                                                                                                                                                                                          • API String ID: 0-3098011084
                                                                                                                                                                                                                                          • Opcode ID: 4a2f8eba84d826d76943d6f2d10a33ca33b77eca30ae73aa7f50b1956d383503
                                                                                                                                                                                                                                          • Instruction ID: 5f79d6fbaad8ea2889f89a9ebda80af61aaa021b0c0cb1bedac56a4b2eebd651
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a2f8eba84d826d76943d6f2d10a33ca33b77eca30ae73aa7f50b1956d383503
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E510330A0A68D8FD791DF68C8657997BF1EF8A300F1501FAD048DB2A2CA795D86CB50
                                                                                                                                                                                                                                          Function 00007FFD9B36BAED Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 89e$@9e$H9e
                                                                                                                                                                                                                                          • API String ID: 0-63497423
                                                                                                                                                                                                                                          • Opcode ID: 046a4993f615ed123f3b2fa879647680a821478b77bc9103dac14753fbdeb77a
                                                                                                                                                                                                                                          • Instruction ID: 68f066e24c913373293a516b5ce19ea820abbe9e8cd9fe40c001410a695ded51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 046a4993f615ed123f3b2fa879647680a821478b77bc9103dac14753fbdeb77a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D411171B19A4A8FE758EBA8C8677E97BE0FF55310F0402B9E459CB2D7ED6428018B40
                                                                                                                                                                                                                                          Function 00007FFD9B575888 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-2751129820
                                                                                                                                                                                                                                          • Opcode ID: 7c1b10dcbc0fb4962f03e8eddb07caad06580ff0b2770310e6d74f9c7ab3e6d4
                                                                                                                                                                                                                                          • Instruction ID: 8c24df137c6bccdc919cf24aaf125ebf5abf02a9b3e4b0d232fbe5864f7c9411
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c1b10dcbc0fb4962f03e8eddb07caad06580ff0b2770310e6d74f9c7ab3e6d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBD1C671F19A0E4FEBA5DB58D8A97B977E1FF58300F0101BAD44DD72A2DE24AD818B40
                                                                                                                                                                                                                                          Function 00007FFD9B37F235 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $e$pe
                                                                                                                                                                                                                                          • API String ID: 0-3906838924
                                                                                                                                                                                                                                          • Opcode ID: a289f7c440479514fbd9e4807e1fe495fe02fc34107dba7b311fd8ff1465322e
                                                                                                                                                                                                                                          • Instruction ID: f3fa51065b6df0e20544d4e21bd26aba18e47255266312834be809c6df2bca2e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a289f7c440479514fbd9e4807e1fe495fe02fc34107dba7b311fd8ff1465322e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6A14731B0EA8A4FEB74EB5C94A56B477D2FF99311F1505BEC04CC76A6DE18AC068381
                                                                                                                                                                                                                                          Function 00007FFD9B5768D3 Relevance: 2.8, Strings: 2, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-2751129820
                                                                                                                                                                                                                                          • Opcode ID: a8ea59165f2974b1953e50cfe8582ee939cdae9b89fc2936ba18e3691c451f84
                                                                                                                                                                                                                                          • Instruction ID: b61dc7deab6ef5ff097fa0bb88dbff7b4eaa8f3dcb28891796ed42947dab513e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8ea59165f2974b1953e50cfe8582ee939cdae9b89fc2936ba18e3691c451f84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23914D61B0F68A4FE7A69BB888B95F47BE0EF55304F1941BBC4C8C71A3EE2469458740
                                                                                                                                                                                                                                          Function 00007FFD9B5769F3 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-2751129820
                                                                                                                                                                                                                                          • Opcode ID: 63c2a8fbc3a157d09715f8916169f7989d38549fa30d84f9eadf858a86540497
                                                                                                                                                                                                                                          • Instruction ID: 007c7c4508263af985073494358f858b387f1c3ea3650abab87c433cb56115ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63c2a8fbc3a157d09715f8916169f7989d38549fa30d84f9eadf858a86540497
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9514B71B0EA4E8FFBB68B6888A96B43BE1EF55300F15017AC449C72B3DE206D41C740
                                                                                                                                                                                                                                          Function 00007FFD9B5769D3 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e$x6e
                                                                                                                                                                                                                                          • API String ID: 0-2751129820
                                                                                                                                                                                                                                          • Opcode ID: 13dc692851c3e146f2f8a92020a4076785da5f91a4759bec7e32c85c763f86b2
                                                                                                                                                                                                                                          • Instruction ID: 83dfa73ebeaf4274bfc3e2b19c04c213f4ff3ab2f66568a836054d8b9cfe76a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13dc692851c3e146f2f8a92020a4076785da5f91a4759bec7e32c85c763f86b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79411871B09A4E4FFBA6DB6884AA6B53BE1EF55304F15407ED44DC72A3EE20AD418780
                                                                                                                                                                                                                                          Function 00007FFD9B3681AE Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `[e$`[e
                                                                                                                                                                                                                                          • API String ID: 0-1965343623
                                                                                                                                                                                                                                          • Opcode ID: 23058359fa3b2558bb3b973d567357cfc4b1169e0ae5deab1e562d91445e9aa8
                                                                                                                                                                                                                                          • Instruction ID: fbb8d539efca58c4948f69f63c722cd26036db8d8874759532271587940bddcb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23058359fa3b2558bb3b973d567357cfc4b1169e0ae5deab1e562d91445e9aa8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE31FC70E1461D8FDB58EF58C8A97B9B6B1EF58305F5000BED00DA72D6DA781984CB51
                                                                                                                                                                                                                                          Function 00007FFD9B365201 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `\e$7e
                                                                                                                                                                                                                                          • API String ID: 0-2566598992
                                                                                                                                                                                                                                          • Opcode ID: 3c6309eb1ca1c4e7fe596056cbf0e797428d1a058921fd549122e5d3ec29eaf0
                                                                                                                                                                                                                                          • Instruction ID: bcaca30ec8f18fdb6c3bd9c3360a931f8074be09b2801c693331b5b8534c8948
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c6309eb1ca1c4e7fe596056cbf0e797428d1a058921fd549122e5d3ec29eaf0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82217C70E08A1D8FDB94EF98D8A66EDBBB1FF59300F04017AD409E3295CA34A9418B81
                                                                                                                                                                                                                                          Function 00007FFD9B365220 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `\e$7e
                                                                                                                                                                                                                                          • API String ID: 0-2566598992
                                                                                                                                                                                                                                          • Opcode ID: 0180f7c97e150256f2ec3d4cfb0bbe4b5044a92563baeee38efc57f3e64ce2ca
                                                                                                                                                                                                                                          • Instruction ID: 24bce0678b21ccd267707cb5c0eda1ebb716af6521bd2bd486279f399d178535
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0180f7c97e150256f2ec3d4cfb0bbe4b5044a92563baeee38efc57f3e64ce2ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4212770E04A1D8FDF84EF98D895AEDBBB1FB59310F10053AE409E3295CA75A9518B81
                                                                                                                                                                                                                                          Function 00007FFD9B37D304 Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: dJ_H
                                                                                                                                                                                                                                          • API String ID: 0-2905161575
                                                                                                                                                                                                                                          • Opcode ID: 4d4147220024044285521d973be96595b588bc1c262171fa8589c7bc0fa2f860
                                                                                                                                                                                                                                          • Instruction ID: 0242cb36bcc96fe78b56adbabe707fcd269d735c5dcc82abccc1872367a5b380
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d4147220024044285521d973be96595b588bc1c262171fa8589c7bc0fa2f860
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D102F570B0DA498FD769EB28C4A46B577E1FF99300F15426ED48EC72A6DE24B842C781
                                                                                                                                                                                                                                          Function 00007FFD9B57C6FD Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: _
                                                                                                                                                                                                                                          • API String ID: 0-701932520
                                                                                                                                                                                                                                          • Opcode ID: dc8f6f001f02669dacd6b550c05587e6e387a5f71d35f850de5ab09440ce40bd
                                                                                                                                                                                                                                          • Instruction ID: 30823363ffadacf153ddbd6202701a7966f2bff62e11fdfa0e46235c06b93359
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc8f6f001f02669dacd6b550c05587e6e387a5f71d35f850de5ab09440ce40bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1F13731B1EA8E4FEBAADB6894A56757BD1EF95300B0501FED449C71E7DE28E8028340
                                                                                                                                                                                                                                          Function 00007FFD9B37C9B5 Relevance: 1.8, Strings: 1, Instructions: 549COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: _
                                                                                                                                                                                                                                          • API String ID: 0-701932520
                                                                                                                                                                                                                                          • Opcode ID: 32518d29269d26e8a7ff463caa618efb686b770284c564c7714783e2c5266ac4
                                                                                                                                                                                                                                          • Instruction ID: aaff199a2d247d36f09defee104cbd817e1a95e4a22814d3e45df1628159ef3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32518d29269d26e8a7ff463caa618efb686b770284c564c7714783e2c5266ac4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E029031B19A4D8FEBA4FB6CC8A57A977E2FF98300F550179D04ED72A1CE24A941C781
                                                                                                                                                                                                                                          Function 00007FFD9B3743F7 Relevance: 1.7, Strings: 1, Instructions: 465COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: eebbfa4e36148a3c4f8318b1245a35fc3b0767c5c1edced705c4e98618995a2b
                                                                                                                                                                                                                                          • Instruction ID: eed587735392f29b6c448e0172eab70fafc3ec4b534db477976ef9e3549fb9df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eebbfa4e36148a3c4f8318b1245a35fc3b0767c5c1edced705c4e98618995a2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50E11230A1DB894FE768EB5884A0679B7E1FF95310F1505BED08EC32A6DE35F9428781
                                                                                                                                                                                                                                          Function 00007FFD9B5834CA Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: )_H
                                                                                                                                                                                                                                          • API String ID: 0-1508373536
                                                                                                                                                                                                                                          • Opcode ID: 086a275a2679846f48042c2622705612a9cf8378e668e6c716da99e32e170ae1
                                                                                                                                                                                                                                          • Instruction ID: e2a1e32624a4b3f7dbfda5451b08dec39ac872b7b7002523d6207480574a2752
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 086a275a2679846f48042c2622705612a9cf8378e668e6c716da99e32e170ae1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92E19671B0DE4E4FDBE6DF688465A693BE1FF59310B4600BAE449C72A3DA38AC41C741
                                                                                                                                                                                                                                          Function 00007FFD9B57BCFB Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 7_L
                                                                                                                                                                                                                                          • API String ID: 0-1211285059
                                                                                                                                                                                                                                          • Opcode ID: d6b338d9ed051f9d0c5ced36031f41f173cb7979fc132a67b00f4264a49a442e
                                                                                                                                                                                                                                          • Instruction ID: 1517c833bad06c3dd31e991022b45ca2f784e9e1175ef5835ea95aea7dedcafb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6b338d9ed051f9d0c5ced36031f41f173cb7979fc132a67b00f4264a49a442e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79C13531B1DA4A4FEBA9EF1CD4A1AB573D1FF99314B1402BAD44DC72A3DD24B8428780
                                                                                                                                                                                                                                          Function 00007FFD9B57EA81 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: c407791b6b412d69101aaea4ab6896491334996c1607b58aceebe0f7fae9e644
                                                                                                                                                                                                                                          • Instruction ID: 6f58393f7660d4f3e3b99d569a0919d9091f32312e41bf3f1e9f7b8203a196b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c407791b6b412d69101aaea4ab6896491334996c1607b58aceebe0f7fae9e644
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AD1F330B1DA4A4FEB99EF2884A5A61B392FF95300B1445B9D05DCB2A7DA25FC42C780
                                                                                                                                                                                                                                          Function 00007FFD9B57CDD9 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p!g
                                                                                                                                                                                                                                          • API String ID: 0-2491649975
                                                                                                                                                                                                                                          • Opcode ID: f3360fe3881bf204036473413086bbee2d8cc46d129dfabe8bee2d539a1aebf5
                                                                                                                                                                                                                                          • Instruction ID: bc997b5dbe4216d27fe67a7545603204f6d12490ae6b581b842134843023a8cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3360fe3881bf204036473413086bbee2d8cc46d129dfabe8bee2d539a1aebf5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0BE14E70A0961D8FDBAADF18C8A5BA877B5FF59300F1001E9D44DE7292CA75AE80CF40
                                                                                                                                                                                                                                          Function 00007FFD9B373BA8 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 1dca1b947ff17ce945067e58192a5dc7a0f67921fc6f15908b86b2814a066566
                                                                                                                                                                                                                                          • Instruction ID: 0420e6f63794d5409d60a7c4aa44b8397083bc3d2056217c84526433be0bf07f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dca1b947ff17ce945067e58192a5dc7a0f67921fc6f15908b86b2814a066566
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5C10330B1CB494FD728EB58D491539B3E1FF99310B1446BDD09AC36A6DA35F8438B82
                                                                                                                                                                                                                                          Function 00007FFD9B373B28 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 63ebacb9e0b242d67eafde9f0b88df157f965d4209ba72a9d5ea78b31606b238
                                                                                                                                                                                                                                          • Instruction ID: ec328b81acaeb9baef979e080a5d83a4dd801bdc5fba9c4111b6c85cbb5ccfe2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63ebacb9e0b242d67eafde9f0b88df157f965d4209ba72a9d5ea78b31606b238
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99B11130B1CB494FD728EB5CE4915B9B3E0FF94324B1446BED48AC71A6DA35F8428B81
                                                                                                                                                                                                                                          Function 00007FFD9B57EC04 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: 352daa58223d74656d53b3d88aa3c9e92a63caf79603f75a2ac5175aaaf851e0
                                                                                                                                                                                                                                          • Instruction ID: 33e77b2940befbcbd8e8188cd86c26b01d875505c87de76a25c2511d7a8a3be8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 352daa58223d74656d53b3d88aa3c9e92a63caf79603f75a2ac5175aaaf851e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23B1F530B19A0A4FEB99EF2884A5A7573D2EF99304B1445BDD44DCB2A7DE25BC42C780
                                                                                                                                                                                                                                          Function 00007FFD9B581EF6 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X"g
                                                                                                                                                                                                                                          • API String ID: 0-953971260
                                                                                                                                                                                                                                          • Opcode ID: c48a2883006729b7d7db9de9a9452380fbc590a119480c17314668b91aef6564
                                                                                                                                                                                                                                          • Instruction ID: cdf361dea5da6f630ce50a7b88f2111ed9db6849db0aee22424a7b9fc66e31bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48a2883006729b7d7db9de9a9452380fbc590a119480c17314668b91aef6564
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F991593170EB494FE7A6DB5894656757BD1EF89310F4501BEE48DC32A3DE29AC42C382
                                                                                                                                                                                                                                          Function 00007FFD9B36A0A0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 'Q_L
                                                                                                                                                                                                                                          • API String ID: 0-865484860
                                                                                                                                                                                                                                          • Opcode ID: 63b3471d22295adde80be6ac87d860d85345ceac9c0f745bea5e1ad42234b0be
                                                                                                                                                                                                                                          • Instruction ID: 401e38aa4bcb83dda0c265c8fd26c9ca2ed8831c8207a7df09aecf04f9ffc43f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63b3471d22295adde80be6ac87d860d85345ceac9c0f745bea5e1ad42234b0be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E61B461F1990D4FEBA8EA1C94A967833D2EBDC350B5501BEE44DC73A7DD25AC028381
                                                                                                                                                                                                                                          Function 00007FFD9B572592 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8e
                                                                                                                                                                                                                                          • API String ID: 0-3185754544
                                                                                                                                                                                                                                          • Opcode ID: be52a24d3fd9a520d77c774c2792930bf543587978c49b38bde99792219ad596
                                                                                                                                                                                                                                          • Instruction ID: 3f964d37b8bbcc1eaf5286cfd37a03c698cea47301ce321631cf1d222615ceed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be52a24d3fd9a520d77c774c2792930bf543587978c49b38bde99792219ad596
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2771B230B2DA498FEB94EB6CD065BA573D1FF98300F4044BDE44EC32A6DE25A845CB41
                                                                                                                                                                                                                                          Function 00007FFD9B368A55 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: db968e03f80fa9b707c83e76da291c92bc2450a76cf05297a50f74e0054f45e3
                                                                                                                                                                                                                                          • Instruction ID: 2ecf4d051fb25a86926f1080fb059d231c022a42464e08e73863024742e92896
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db968e03f80fa9b707c83e76da291c92bc2450a76cf05297a50f74e0054f45e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0161D270E1A64D8FEB64EBA4D4666EDBBB0FF49304F05027ED00DD72A2CA796942C750
                                                                                                                                                                                                                                          Function 00007FFD9B572620 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8e
                                                                                                                                                                                                                                          • API String ID: 0-3185754544
                                                                                                                                                                                                                                          • Opcode ID: 5d0739ece37ef6df1951e886d329d0f8126dd2fc652f8eaa30ba45acb0a3ab66
                                                                                                                                                                                                                                          • Instruction ID: 756541173d819420387cf4a9eac4f936ec51531e603dcd4e93958f40bd173e8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d0739ece37ef6df1951e886d329d0f8126dd2fc652f8eaa30ba45acb0a3ab66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC61A230B2DA494FEBA4EB6CD0A5BA573D1EF59300F4044B9E04EC32A6DE25A845CB41
                                                                                                                                                                                                                                          Function 00007FFD9B572634 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8e
                                                                                                                                                                                                                                          • API String ID: 0-3185754544
                                                                                                                                                                                                                                          • Opcode ID: e85ca84a7a6409044487bdf048b57b21068dca6e68292a8afbe897fd48ee68f0
                                                                                                                                                                                                                                          • Instruction ID: a2b9c15ce9b69de45ed9b1a3fab57e5dee5c4fbb914d7b1135d981992f7dc3a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e85ca84a7a6409044487bdf048b57b21068dca6e68292a8afbe897fd48ee68f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD618030B2DA498FEB94EB68D065BA673D1FF99300F5044BDE44EC32A6DE25B845CB41
                                                                                                                                                                                                                                          Function 00007FFD9B36D0A8 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^K_^
                                                                                                                                                                                                                                          • API String ID: 0-3349805252
                                                                                                                                                                                                                                          • Opcode ID: fba6e2c40b4c1f84a9bbc83da45cae150826816593d4b269511804eeebab0f28
                                                                                                                                                                                                                                          • Instruction ID: 8eb278d77b7251965211b6f8b67e0b8deaa1d0f4fdcbd51428a5f94ffe828530
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fba6e2c40b4c1f84a9bbc83da45cae150826816593d4b269511804eeebab0f28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2951B622A1D7954FD306B77CA4761E87BE0EF4223470942F7D889CB0E7E958284AC7A1
                                                                                                                                                                                                                                          Function 00007FFD9B368AA5 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: 3c1c834cff448606ff16260dd9072240e08559d9937c5a69d71a081931adf8f2
                                                                                                                                                                                                                                          • Instruction ID: 3d6eb342b2c2387872d341cb8740cf32055430fdfd0f443bda305230167cff2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c1c834cff448606ff16260dd9072240e08559d9937c5a69d71a081931adf8f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE51F270E1A64D8FDB55EBA4D8666E97BB0FF49314F04027FD049DB2A2CA381942C750
                                                                                                                                                                                                                                          Function 00007FFD9B36A0F3 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: pe
                                                                                                                                                                                                                                          • API String ID: 0-1201281256
                                                                                                                                                                                                                                          • Opcode ID: 5d7b300eabe773b74ec50d02cf2290c54878a803efad25cad8b07b4c3373e7a1
                                                                                                                                                                                                                                          • Instruction ID: 82ed7c97e5707e6194be4c226eee116383a14230e2f41360e4acd1e2bf7e265a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7b300eabe773b74ec50d02cf2290c54878a803efad25cad8b07b4c3373e7a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25412831B1A90D4FEBA4FBAC98AD6A87BD1FF98315F5401BBD44DC72A2DD21AC418740
                                                                                                                                                                                                                                          Function 00007FFD9B363C3D Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: afaf2506f5268280a0a84fe2d0cee51d54482d24039f78bf3a4d1f7de1f61407
                                                                                                                                                                                                                                          • Instruction ID: d098c8548b2bb6f282a416f9404e672c0625de3d1a7dbe121b2e51d9ce6ce55b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afaf2506f5268280a0a84fe2d0cee51d54482d24039f78bf3a4d1f7de1f61407
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83417C71E0961D8FEB54EF98D4966ADBBB1FF58300F00017EE009E72A6CA796845CB40
                                                                                                                                                                                                                                          Function 00007FFD9B576B8C Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: 565d8ffe500788fc2739025fc0810a4d14ba00acf2fafa45a1bd2aff4c3d9911
                                                                                                                                                                                                                                          • Instruction ID: 73cb5d4eeeab9d1e216b5eb4556bbf5a2fc252e809aea0ebfc80378c34dbda41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 565d8ffe500788fc2739025fc0810a4d14ba00acf2fafa45a1bd2aff4c3d9911
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0041F661F19A0A4FFBA9DB6884E977873D1EB58700F5541BED44EC32E2DE34AD828740
                                                                                                                                                                                                                                          Function 00007FFD9B3670F0 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6e
                                                                                                                                                                                                                                          • API String ID: 0-1674947
                                                                                                                                                                                                                                          • Opcode ID: ddb734dfd2d86057a657dea36466653eef9fe35cc9155fd36cd0ae518f0da930
                                                                                                                                                                                                                                          • Instruction ID: a55cb231dd5184eaec06ccd07890fbd47ecbf6b82fdf09eefa741a2f5a57bb64
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ddb734dfd2d86057a657dea36466653eef9fe35cc9155fd36cd0ae518f0da930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA31F831B19D0D8FD768EA6C986A57977E2FF99311B41017EE04DC72A6DE21AC0287C0
                                                                                                                                                                                                                                          Function 00007FFD9B3638E1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `\e
                                                                                                                                                                                                                                          • API String ID: 0-1008624089
                                                                                                                                                                                                                                          • Opcode ID: 824ca48c14fa3d3f4814dacee69736583449680914e28ff7f3ce09b5e9f2166a
                                                                                                                                                                                                                                          • Instruction ID: 2ad357a7404acb0990132469f5b4eebdbb477014b451fdde339d86066ccaf9ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 824ca48c14fa3d3f4814dacee69736583449680914e28ff7f3ce09b5e9f2166a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D415E71E0960DDFDB40EF98D456AEDBBF1FF59301F1441AAD008E72A6CA38A944CB40
                                                                                                                                                                                                                                          Function 00007FFD9B57CBCB Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t
                                                                                                                                                                                                                                          • API String ID: 0-2238339752
                                                                                                                                                                                                                                          • Opcode ID: 52b693a2b38126f7f83d7f65793911c6f013ffa0f60927a46da58a87a65991a7
                                                                                                                                                                                                                                          • Instruction ID: 1868115436b1abf8653c257d83dc58e98182ae4f5aba6b8d6753e8df962c9ef8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52b693a2b38126f7f83d7f65793911c6f013ffa0f60927a46da58a87a65991a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6212862F1D68E0FE799AB6C68691F977D0EF85210F0001BBD41DC31A7DE7969024340
                                                                                                                                                                                                                                          Function 00007FFD9B57CBE4 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t
                                                                                                                                                                                                                                          • API String ID: 0-2238339752
                                                                                                                                                                                                                                          • Opcode ID: e39d70fe635d053d7c8e7dad29664dc1af1dcbdcc0d482299731ba4031967e7c
                                                                                                                                                                                                                                          • Instruction ID: 182dc408a42a8cdfeafd09211d61c29d4ff4de67839507ed4d52ab7844058613
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e39d70fe635d053d7c8e7dad29664dc1af1dcbdcc0d482299731ba4031967e7c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F02BD3F0E94E0AF2B9516C38992B493C1CBC5A20F0502BFD95EC32ABED1A6D030180
                                                                                                                                                                                                                                          Function 00007FFD9B37EA00 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: he
                                                                                                                                                                                                                                          • API String ID: 0-3905172086
                                                                                                                                                                                                                                          • Opcode ID: 18d778876589cbfe448dccf1c1e5d02790107da7d979a28647c10707b3701d5f
                                                                                                                                                                                                                                          • Instruction ID: cf2ed57bd632ea9aaa6c4de3c34ea61f9b2441dddb88a30c5ce97baa4bcbe7bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18d778876589cbfe448dccf1c1e5d02790107da7d979a28647c10707b3701d5f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AD0A714F1240A4FED94FB9D49C63403790FF0B204FC500A0E50CDB352E48E9D688301
                                                                                                                                                                                                                                          Function 00007FFD9B3733A8 Relevance: .6, Instructions: 636COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f43354c11495a4ea9fb72d9647047acd62bd6bd027f3fb2279bdcdceb635b1f
                                                                                                                                                                                                                                          • Instruction ID: ef4067151f630ac1a00fed0d4a2d0d6c61c987c969041b810c3b5744192e4094
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f43354c11495a4ea9fb72d9647047acd62bd6bd027f3fb2279bdcdceb635b1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D020B22B0FA8D4FEBA5EBAC98E55B43BE1FF5522470901FFD448C71A7DC15AA468340
                                                                                                                                                                                                                                          Function 00007FFD9B578A31 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d664b970b741f6aca83d3a9b9e7d43f8e81107f1d94720c4ab1ce4c97560fd7f
                                                                                                                                                                                                                                          • Instruction ID: f2b9005166639a1948b1a6ceba13290128f228071fd092c4d2c8249b268c0d1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d664b970b741f6aca83d3a9b9e7d43f8e81107f1d94720c4ab1ce4c97560fd7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2202F431B1D90A4FEBE5EB2988A876573D2FF98304F1940B9D01DC72EBDE28AD418741
                                                                                                                                                                                                                                          Function 00007FFD9B3771ED Relevance: .5, Instructions: 478COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e848cd63ae32d36e47c6c474845ed3989c755652e2ca6272ccdffee7411a4cc6
                                                                                                                                                                                                                                          • Instruction ID: 45b00a9bcff6971e529880a781517d9b148de7b65625583e7940345566b9d830
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e848cd63ae32d36e47c6c474845ed3989c755652e2ca6272ccdffee7411a4cc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61F1B371B1DB4D8FE768EB1C84A5669B7D2FFA8340F51457DE08DC32A6DE34A8018B42
                                                                                                                                                                                                                                          Function 00007FFD9B37E23F Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f4a52bff911c369b112c9b766efe35565ac4e9246005f9139af1eee038503558
                                                                                                                                                                                                                                          • Instruction ID: 0294d20d06fe4a56bf14f0240da6ef0d25099dd328d96898e12bce3a513e7373
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4a52bff911c369b112c9b766efe35565ac4e9246005f9139af1eee038503558
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01D1B331B19D5D4FEBA4FB6884A9AB433D1EF68310B0541BED84DCB2AADD24ED45C780
                                                                                                                                                                                                                                          Function 00007FFD9B581A35 Relevance: .5, Instructions: 455COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48877c9a4e497de35c007c2d68aeb11142e66e6bae7477cc96f185e801615ef8
                                                                                                                                                                                                                                          • Instruction ID: b4ea6445126f6534e4fae4575507fd4775f94be7193252d8590392a2407c1802
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48877c9a4e497de35c007c2d68aeb11142e66e6bae7477cc96f185e801615ef8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9EE14B31A09A4D8FDFD5EF58C4A4AA937E2FFAC744F550169E44DD72A6CA30E841CB80
                                                                                                                                                                                                                                          Function 00007FFD9B36D9E9 Relevance: .4, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8eb6d11eb4e25aee377ed3a04b1e8e35f178c364bfa171faf4f3293200ad3a89
                                                                                                                                                                                                                                          • Instruction ID: ac354cdea3999b94732f1fe10ea8375e3b985402b0fc2c45348b87d0364ea7de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8eb6d11eb4e25aee377ed3a04b1e8e35f178c364bfa171faf4f3293200ad3a89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BD1353170DB4D8FDB64EB58D452AA5B7E1FFA5310F05027ED08DC72A2DE26A846C782
                                                                                                                                                                                                                                          Function 00007FFD9B570557 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6dec13151ad7f607778bb374204c55d69a146ff0e26e24c406d9c02e4679276
                                                                                                                                                                                                                                          • Instruction ID: be0e3b926ba5395020fc6cf79b094c20c2a1ebf88158f57fd77468a701a63efd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6dec13151ad7f607778bb374204c55d69a146ff0e26e24c406d9c02e4679276
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0B15621B0EA894FEBAAA76C58B55757BE1DF96210B1900FFD489C72E3DC19AC43C341
                                                                                                                                                                                                                                          Function 00007FFD9B36AAE8 Relevance: .4, Instructions: 404COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c7eca03ce35f7aec1a259e0824186e46006f0960de3d8faed5ea3988f01d7319
                                                                                                                                                                                                                                          • Instruction ID: f23b842b3d65b92885be194975d8fa6c9e40620237cdd36debab673ebe67ee43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7eca03ce35f7aec1a259e0824186e46006f0960de3d8faed5ea3988f01d7319
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14B1C721B1EE4E8FEBA9EB6C84AA77437D1EF55300B4501BED44DC71A7EE28AD058740
                                                                                                                                                                                                                                          Function 00007FFD9B36B8D8 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e34e1aacc14eb1725ab40c2591915690cc6e6e5d50c9a48acb87a306b2ba96fa
                                                                                                                                                                                                                                          • Instruction ID: b155c3088b3d097cd9304597176912a674f889728a418040406a7a40238b8b06
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e34e1aacc14eb1725ab40c2591915690cc6e6e5d50c9a48acb87a306b2ba96fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EA12831B0DE494FDBA4EBAC98616B577E1EF45320B0542BED08DC72E7D928B846C341
                                                                                                                                                                                                                                          Function 00007FFD9B373C08 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 493824e8bc53c95f4a080a9701d4a4d5a629c47a2ea05224e950f905fd0d9064
                                                                                                                                                                                                                                          • Instruction ID: a20b5d7f150eeb4c613d1362de045dc50fb236032957fd662e2276aec9a659e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 493824e8bc53c95f4a080a9701d4a4d5a629c47a2ea05224e950f905fd0d9064
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9A10030719A498FEB68EB6CC4A1A7173E1EF59314B1606BDD08EC36A6D925FC42C780
                                                                                                                                                                                                                                          Function 00007FFD9B57A806 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5e22131840b22c76087f9ad15f5f1c92ae5584226418850eec9688b1990abe64
                                                                                                                                                                                                                                          • Instruction ID: 70de632732275cce74f7d2a4b9f5c07d29a08d4853041334faf2323c5527bb53
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e22131840b22c76087f9ad15f5f1c92ae5584226418850eec9688b1990abe64
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C791F362B1EE4F0BFBFAA65C94A5A7523D2EFA835070501B9E41DC32E7ED18ED024341
                                                                                                                                                                                                                                          Function 00007FFD9B579CE8 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63f4a79044e15380bcb678ab2e9e98dfe3b002979f8f9c6503e945639e5c2ac8
                                                                                                                                                                                                                                          • Instruction ID: e3e11637f925c5777c3aa314c4189e69afd14053c59ead48c5cf071180314d89
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63f4a79044e15380bcb678ab2e9e98dfe3b002979f8f9c6503e945639e5c2ac8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D491E331B1DE4E4BEBA9EB5C94A567677E2EF94310B0501B9E00DC72E7DE28AD068740
                                                                                                                                                                                                                                          Function 00007FFD9B57F33D Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56f4410f7eb4249ba8e71dc31813c9af64c727d0cb2e467c79b7d58c08b11647
                                                                                                                                                                                                                                          • Instruction ID: 4a55a3ffcba5753af209a4f566721811ce9f37f1ccba7788c5a488d70e45ba94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56f4410f7eb4249ba8e71dc31813c9af64c727d0cb2e467c79b7d58c08b11647
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FA14831B0E7CB4FE3AADA6884A51B87BD1FF82314F1541BEC48AC71E7DD2869428341
                                                                                                                                                                                                                                          Function 00007FFD9B3748A4 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d183f53217a5fe3493ff6aa470d6863988804c449fc44308038c3de2e18822dd
                                                                                                                                                                                                                                          • Instruction ID: 3fb346e7c48f7b3ce90b6db598a1aaaf445d3636a568980acb713be0ba8662eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d183f53217a5fe3493ff6aa470d6863988804c449fc44308038c3de2e18822dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E915431B1DB4A4FD768EB6894E55BA73E0FF55310B10067ED09AC31A6EE34F8428780
                                                                                                                                                                                                                                          Function 00007FFD9B573D55 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 351dabb9e87dd6d3779a1db0b48a1c3024c1647ff04345a052fc23ede63e584a
                                                                                                                                                                                                                                          • Instruction ID: bdf7d5cfcef0a104e0eb6680a123cbc0ea6cd8294e53751675c1e62d01b63ba6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 351dabb9e87dd6d3779a1db0b48a1c3024c1647ff04345a052fc23ede63e584a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8581D13071E94D4FEBB9EA6CD4A5A7937D0EF49310B1600BAE48AC72A3D915ED428781
                                                                                                                                                                                                                                          Function 00007FFD9B373C30 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea0d776e3f4d2e7ace7bf8297f216dc9de9668d51c2e1f8f844ec032ac60242a
                                                                                                                                                                                                                                          • Instruction ID: c96cbda25b5c44bb3a1ce39e40ac6261821eb661438c02fd2c9613849b6b36f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea0d776e3f4d2e7ace7bf8297f216dc9de9668d51c2e1f8f844ec032ac60242a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC813530B1DB498FE768EB6884D55B977E0EF95314F14067ED48AC32A2EE24F8428741
                                                                                                                                                                                                                                          Function 00007FFD9B57A510 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd2008ff96706f8db9fafbe9a20f4e062add4c578e8425802fdf6cdcfc03406e
                                                                                                                                                                                                                                          • Instruction ID: abfcb904355ee0241c8c994c3539206b9257e6110e2ea02c78cc9ea4b4affd16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd2008ff96706f8db9fafbe9a20f4e062add4c578e8425802fdf6cdcfc03406e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC914531B0EB4A4FD769EBACD4A55E677E1FF50314B0802BAD45DC7197EE24B8428780
                                                                                                                                                                                                                                          Function 00007FFD9B37C950 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ae6a131bd60f87c23792360f0da6354679427b1575dd45ed7b9dc4945bca2aa
                                                                                                                                                                                                                                          • Instruction ID: 52ec406358028dea9c68b9fd4b2bb2b6564fd9d3e9d9839d8198937ad481533a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ae6a131bd60f87c23792360f0da6354679427b1575dd45ed7b9dc4945bca2aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC91A231B19E0D8FDBA4FF5894959A977E1FF98310B41013EE40AC32A6DE35F9418782
                                                                                                                                                                                                                                          Function 00007FFD9B58378A Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d72e086f567fc9c48273bc9be9cd4562cf9427a7f409c8371492462133626e13
                                                                                                                                                                                                                                          • Instruction ID: be6665eabd94c6f5f480cc39e9ec9488121c24a7a2a713f616ab9399da04fc04
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d72e086f567fc9c48273bc9be9cd4562cf9427a7f409c8371492462133626e13
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7A1A670B0DA4D8FDFD5DF68C465AA97BE1FF69310B4500AAE449C72A2DA38EC41CB41
                                                                                                                                                                                                                                          Function 00007FFD9B5835CD Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1133760079b01be3c3a3c5e33ee2bb757f7db81a353aa9f4037c69a5bf223ae4
                                                                                                                                                                                                                                          • Instruction ID: 754e0bf94cf8bf46bc277cba4421d7b0edbbec6c84debddc17495aa662a44e75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1133760079b01be3c3a3c5e33ee2bb757f7db81a353aa9f4037c69a5bf223ae4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00A18670A0DA4D8FDFD5DF68C4A5AA97BF1FF69310B4500AAE449C72A2DA34EC41CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3753A9 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d0271674c6fb815a3a8ac224f3d650c23fee1773d4d41a12d42cdde0919ee0a8
                                                                                                                                                                                                                                          • Instruction ID: ea033ad8c102722321a5df48a7ec24f8da06cf90dce61877131d8690709e95c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0271674c6fb815a3a8ac224f3d650c23fee1773d4d41a12d42cdde0919ee0a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D712D32B0ED4E4FFBACEA5CA4A12B977D2EF94360F46007ED44EC71A6ED15A9424340
                                                                                                                                                                                                                                          Function 00007FFD9B57352D Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6e08f83f99741f167338617ca52cd4cc7fb07846e7d8260084d65a158937872
                                                                                                                                                                                                                                          • Instruction ID: 720ed88327f6c67fac1f0f9fc9ab38d16d35ee0c747e90fc13bcbee0275fcfb2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6e08f83f99741f167338617ca52cd4cc7fb07846e7d8260084d65a158937872
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23818531B0D95D8FDBE5DB5CC4A4AB977E1FF59311B0500BAE04DD72A2CE28AD028741
                                                                                                                                                                                                                                          Function 00007FFD9B57125A Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c52201ad81d33855395eb2d535c1c66f1a3dda4fc916916d0bcbdf3393c4e71
                                                                                                                                                                                                                                          • Instruction ID: b613f27055d9a0ae6b4cf84e4f261f62b3b27d0a9b7295a07ab65cb6295016df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c52201ad81d33855395eb2d535c1c66f1a3dda4fc916916d0bcbdf3393c4e71
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6710432B1EA4D4FEBE9EA6C54B567873D2EF99250B5500BFD04AC32E7DD19AC028341
                                                                                                                                                                                                                                          Function 00007FFD9B575159 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ddc12a34d51f4b14b89390caad19b65ab58a180c50f93c1b48a90016aed6e8e5
                                                                                                                                                                                                                                          • Instruction ID: 191dc34985e7fa168ddf2cfcfeebf70d90e82040f68533b215459939e534c945
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ddc12a34d51f4b14b89390caad19b65ab58a180c50f93c1b48a90016aed6e8e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD71B171B1994D8FEBE5EB6C94A96A837E1FF68341F450079D40DD32A2DE28ED41C740
                                                                                                                                                                                                                                          Function 00007FFD9B57F098 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e812b01632d87428df47137d8d1f0ac610872f99df96d78a8232ffde568b7bd
                                                                                                                                                                                                                                          • Instruction ID: 6548930f5049a33811cfe53d97ab00e04206f944a88be2d725d91d647e6e9c27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e812b01632d87428df47137d8d1f0ac610872f99df96d78a8232ffde568b7bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A710470E08A5C8FDB98DF58C885BE9BBB1FB59300F1091AAD04DE3256DB74A985CF41
                                                                                                                                                                                                                                          Function 00007FFD9B570D2D Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed093c24eeebd0e5751f8a49db7bc6da6c230e14ae9ae3361a0267e5a27ad122
                                                                                                                                                                                                                                          • Instruction ID: f6d7a2e815406251d081764ad9025abd8aa56c86d14f52a0002b5eabe0c27a16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed093c24eeebd0e5751f8a49db7bc6da6c230e14ae9ae3361a0267e5a27ad122
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39610571B1DE994FEBEA9A2C54F457573D2EF98B00B0900BAD44DC32E7DD24AC428781
                                                                                                                                                                                                                                          Function 00007FFD9B373C40 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b92d844a2b64b013a05cf9e11963d643951e20a9e5f8454a926d39b6a6cef10
                                                                                                                                                                                                                                          • Instruction ID: 2b549b648e63d996fe8ffb2faa5e7cecad5f77af26173320065f8b4c5e306636
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b92d844a2b64b013a05cf9e11963d643951e20a9e5f8454a926d39b6a6cef10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD510031729A0E4FE768EB58D894A7573E0EF99310716027DD44EC36A2DA35FC838781
                                                                                                                                                                                                                                          Function 00007FFD9B570D5C Relevance: .2, Instructions: 214COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9fddc1317b11f80fc2e8354d2468f146784d63d094ebb34abf47b1fab74d4bf
                                                                                                                                                                                                                                          • Instruction ID: ffee889292d03d26a004562d5c1def96219b701e9118cb0110d292bcf45d00e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9fddc1317b11f80fc2e8354d2468f146784d63d094ebb34abf47b1fab74d4bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1251F331B1DE994FEBAA9A5C54F457977D2EF98B00B0900BEE449C32E7DD24EC428781
                                                                                                                                                                                                                                          Function 00007FFD9B5859D4 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6aa1018188d0d6210713d9a71336bdcc9a184a432b6d2bd8306456de1e634ec
                                                                                                                                                                                                                                          • Instruction ID: aad5b3d8f81a60b127874c49bd92f2ae33adfd58c31490cd1bc81b2a03e97dda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6aa1018188d0d6210713d9a71336bdcc9a184a432b6d2bd8306456de1e634ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A5128B2B0DE0D0FFBA99A5CA4A62F933E1EF95361F40017BD14DC3163ED26B9464641
                                                                                                                                                                                                                                          Function 00007FFD9B5795DD Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e0f065b6939ebeb331999118724092cc5702ec4ae6b5b93ced72e823ff4eab8b
                                                                                                                                                                                                                                          • Instruction ID: 2d93ebe4294a043637833ca724be35b045c32216e03617c900ab87b1040f290f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0f065b6939ebeb331999118724092cc5702ec4ae6b5b93ced72e823ff4eab8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41513761F1E94E5FFBA5EA6C94AD5B477D2EF94380F0501BAC04DC71ABDD25A9038340
                                                                                                                                                                                                                                          Function 00007FFD9B372AB5 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8319463f764db838bfd79af0bd9a317dc90b8e7f1442f300f3b601872b4a8ac
                                                                                                                                                                                                                                          • Instruction ID: dc9db0ca6c263d8b3bb986416065967fbd8c280e54de09bad3b5a8e15a91e2ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8319463f764db838bfd79af0bd9a317dc90b8e7f1442f300f3b601872b4a8ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77512C32F0F65A0AE765B6BDB8B14F57BC0EF4126870902FBD49CCB0E7DC1964424A94
                                                                                                                                                                                                                                          Function 00007FFD9B5764A4 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c942e7c6b0050def7a878be4c61aa7b89ccf62474913c4b7ad40e146e3bab762
                                                                                                                                                                                                                                          • Instruction ID: 99f2a787207f623bb2873dc53e475a6b209cd98b8f2f9e98b437a18a3f112c9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c942e7c6b0050def7a878be4c61aa7b89ccf62474913c4b7ad40e146e3bab762
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8412131B1DF0E4FEBA9DA4C98A557577E2FB98710B54027AD449C3266DE20FC028781
                                                                                                                                                                                                                                          Function 00007FFD9B5741BC Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d8ced75e54c8730de058225124c2bc64dc67ea4ab5912fb3f91095a0de1ec1f
                                                                                                                                                                                                                                          • Instruction ID: af6a3ff533fba2833bf722b00f3fc057a8d384930dc77c356bf31e3ea30bb2a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8ced75e54c8730de058225124c2bc64dc67ea4ab5912fb3f91095a0de1ec1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB514962B0F58A0FE3F6DA6C44A66797BD1EF95200F4A05FDD08DCB1B3C914AD168381
                                                                                                                                                                                                                                          Function 00007FFD9B57A0D5 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4561619753a70bf98144cb1fba816235387a53971bde79266ea3058b7baa7856
                                                                                                                                                                                                                                          • Instruction ID: 3b734eee55508cdfcf0baad966f9f3eab0e4ffae46ea01fe973958e9df4d6a42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4561619753a70bf98144cb1fba816235387a53971bde79266ea3058b7baa7856
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7414A32B1EB0E0FF7A9AA4DA49527673D2EBD4220B15417ED04AC3267DE25FC428381
                                                                                                                                                                                                                                          Function 00007FFD9B57EE88 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0f2e19884f651d84ad283d2a33e74f74162f9db6012dd7e0cfd7e2006e302c2
                                                                                                                                                                                                                                          • Instruction ID: 793ee84e601027641b286b223f74582ac3021b0909d16c6d5182e6ae7aa6fa8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0f2e19884f651d84ad283d2a33e74f74162f9db6012dd7e0cfd7e2006e302c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3851C130B18A0A4FDB98EF18C4A5A65B3D2FBA9304B14457CD44DC7697CA64FC42CB81
                                                                                                                                                                                                                                          Function 00007FFD9B5771DE Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9d33aa11f9084b37171f43003a0c9a3a977960dcfec43b13fd8d0a08d6d0e867
                                                                                                                                                                                                                                          • Instruction ID: 29c7d563ae073767d6a77852bd23b1f8be758632f623b64e3a3ce817d9e13c66
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d33aa11f9084b37171f43003a0c9a3a977960dcfec43b13fd8d0a08d6d0e867
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA513334B1D9098FD7A9EF68D091A6977A2FF94304F614578D00AC72ABDE35F842CB80
                                                                                                                                                                                                                                          Function 00007FFD9B374131 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: db8a833f56d547f755898a2a5f3e2d1715e1e8df7ad491be622d078bf6c64ebd
                                                                                                                                                                                                                                          • Instruction ID: 428b19f0f797a4fdb2647bb26437e6da9a1ef8cb29e32b9f8238f591c82c7b1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db8a833f56d547f755898a2a5f3e2d1715e1e8df7ad491be622d078bf6c64ebd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27512171E1995D4FEBB8EB6898A57AD77B1FF54300F0001BED04DE32A6DE346A428B40
                                                                                                                                                                                                                                          Function 00007FFD9B4E018D Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2408404986.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bce18abefd4b6ff4e11e9b93d48c93203c5f83a23796d194691ef3a474bde0e7
                                                                                                                                                                                                                                          • Instruction ID: 315bf2c5fa2242f2037e7e902d8b8b1b9f5e8fdc42264ff40476970e5629a4b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bce18abefd4b6ff4e11e9b93d48c93203c5f83a23796d194691ef3a474bde0e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F841182190E7C94FD7628B68487A5B4BFF0EF16204F4D00EFC498CB2A3D9286946D742
                                                                                                                                                                                                                                          Function 00007FFD9B384330 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 120092ae8e62a4cac9ed9d7696a66c87340b1e3ee7b76019f0600490571a0a7a
                                                                                                                                                                                                                                          • Instruction ID: d504b89a0f8456463fa69dbaab49193a5d643e9bdc1e268866bf776880a4c6f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 120092ae8e62a4cac9ed9d7696a66c87340b1e3ee7b76019f0600490571a0a7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95414330B1DE0A4BE768E6B894A1AB573D1EF54304B01457DC48EC3AA5EE39F8828341
                                                                                                                                                                                                                                          Function 00007FFD9B36B925 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eeaf3d4a4214db38ab45c8276f6e4e4c23543a49eca8a1a5c367643937770052
                                                                                                                                                                                                                                          • Instruction ID: cbfd4af94d8c03f2efb3f1d658ddd96043af39290d9faae60726190cc9054f5f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eeaf3d4a4214db38ab45c8276f6e4e4c23543a49eca8a1a5c367643937770052
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50416832B1DA050FE729FBACE8A28F937E0EF4133470402BED49A87497DD1474868795
                                                                                                                                                                                                                                          Function 00007FFD9B374C00 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9faafa3da28f6bbf980308966c2b2019759d1d1ebb4a5f3cea85b5debed7625c
                                                                                                                                                                                                                                          • Instruction ID: a4344082b005993af78f1ea260e5ba2f3de021cbc2bc9e7993864933c472f4d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9faafa3da28f6bbf980308966c2b2019759d1d1ebb4a5f3cea85b5debed7625c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A741D821B19D5E4FE7B9F76C9075A7967D1EF94240B0940BED04EC32A6DD18BD068340
                                                                                                                                                                                                                                          Function 00007FFD9B370210 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71fa038b42ecc0eff3fb6df9872570119242c2f9f39e34296e3256c776239deb
                                                                                                                                                                                                                                          • Instruction ID: 3e8f404a9855c7fd409bde5053b0c8a0819fc66ed0c2dec6c0cadf2a5009a4da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71fa038b42ecc0eff3fb6df9872570119242c2f9f39e34296e3256c776239deb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62419231B09A4D4FDBA8EF5898A56BA37D1FFA8310F11017EE41DD32A5CE35E9428781
                                                                                                                                                                                                                                          Function 00007FFD9B375150 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f0390effd99a4c15af40a3c1aec4716e49b12541c5a215af2678b0aa7ce086e
                                                                                                                                                                                                                                          • Instruction ID: 94ee1bcdb3f42e5fee973e54a74165fa7b971d8ae49bbceb6dd892130513fa83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f0390effd99a4c15af40a3c1aec4716e49b12541c5a215af2678b0aa7ce086e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C41A230B19A498FEBA9EB2CC0A4E7277E1EF58304B1645BDD04EC76A6CE25F945C740
                                                                                                                                                                                                                                          Function 00007FFD9B57E0DC Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e2547ce5b01d6458cf6bc5ffebdb17acb1064428a9bc12304b12e6095ac6d70
                                                                                                                                                                                                                                          • Instruction ID: c9055b4a99ec52b02132e0a24536e60b81c01661d1826e9d0b1e207149c2cce4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e2547ce5b01d6458cf6bc5ffebdb17acb1064428a9bc12304b12e6095ac6d70
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB31B331A0F7C94FD7639BA898725A87FB0EF46200F0941FBD098D71E3CA286959C352
                                                                                                                                                                                                                                          Function 00007FFD9B5850D4 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77adebf9ccb25840752d2f2c00f8884220695eaec5388e80b84e99e29cd6bd72
                                                                                                                                                                                                                                          • Instruction ID: 5cc0d97d60ab38160054e8367cb93388d08377d38916e3fe8c3e43cabadd7f15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77adebf9ccb25840752d2f2c00f8884220695eaec5388e80b84e99e29cd6bd72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A312A62B0EF8E0FEBF7DA6CA87016577E1EB9426074502B7D089C31A7DD25BC464380
                                                                                                                                                                                                                                          Function 00007FFD9B570F69 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 36864ac298f2b5feb913a02005e4d5695ccd09988149e2465d1efbc3e33335ae
                                                                                                                                                                                                                                          • Instruction ID: a16eaa10052e84334e656bb45d4fe48b373bc72667ee1ce324554bf743e6475c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36864ac298f2b5feb913a02005e4d5695ccd09988149e2465d1efbc3e33335ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9415C21F0EA8D1FEBA7A77848B62B97BD1EF85210F4900FAD44CC72E7DD1869468341
                                                                                                                                                                                                                                          Function 00007FFD9B57089D Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f31954b83870b22dbe45d9080eff162cddb4765cfedbb91038598d727f105473
                                                                                                                                                                                                                                          • Instruction ID: 42cf3d2d348326aa442c53e5e787537cb1a3b1bebfc856cf925e17424652c2dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f31954b83870b22dbe45d9080eff162cddb4765cfedbb91038598d727f105473
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95316622B0EA8D0FEBEA977C58B56A57BE1DF9565070A01FAE089C31E3DD086D028340
                                                                                                                                                                                                                                          Function 00007FFD9B375148 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 850b8de61aace14bdcd810a25d34198d93bd4413613d2b835f9aff399aca665c
                                                                                                                                                                                                                                          • Instruction ID: 1a8d23b6d71cc6290d778d2e3e3aa2e1437a8944b30e82ce8fb3a4b478ba872d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 850b8de61aace14bdcd810a25d34198d93bd4413613d2b835f9aff399aca665c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8417F30B19A498FDFA8EB6CC0A4E6177E1EF58304B1645ADD04EC76A6CE24FD45CB40
                                                                                                                                                                                                                                          Function 00007FFD9B5820E5 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 28d3349d1a4365b5c391b3dce81345d98b7045cb51ed80faa57ee042488a7b19
                                                                                                                                                                                                                                          • Instruction ID: 5eb0d54949ed0857fe3f454c79eaf80394f433de9c327467d9f620440806841a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28d3349d1a4365b5c391b3dce81345d98b7045cb51ed80faa57ee042488a7b19
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B431182070DB480FE7A6D75C98657767BD1EF8A710F4502AFE489C32A7CE25AC0183C2
                                                                                                                                                                                                                                          Function 00007FFD9B367140 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8424e71036b06aa967cca46397bce32eaa7750194500f841c41bbd509efc195a
                                                                                                                                                                                                                                          • Instruction ID: 457b94d8f64f19c41c6b1441b104fa2391b3cc291c85522eaf706ade6263644d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8424e71036b06aa967cca46397bce32eaa7750194500f841c41bbd509efc195a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B731C572B19C1C4FEBA4F65C94A9BB973E1FB98350F05017AE00DD72A5DE24AC024780
                                                                                                                                                                                                                                          Function 00007FFD9B5713AA Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f49b1bbfb13a49740ad05b3662cd0da58e150d6069e20ec73f279d9cecd2d22
                                                                                                                                                                                                                                          • Instruction ID: 27407b9e78699d751865b31cb9f09348a3ef0a8e1991238fa16d73d19bdaee9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f49b1bbfb13a49740ad05b3662cd0da58e150d6069e20ec73f279d9cecd2d22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C031D321B1EA894FEBAAE77C58B517877D3EF9924475900BFD049C32EBDD18AC028341
                                                                                                                                                                                                                                          Function 00007FFD9B57C9F5 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3580c018e0f2b83aca76cd03b3f111b1e48dbf742347dc62b905123255078800
                                                                                                                                                                                                                                          • Instruction ID: b983b95f8e7b0f4e5ad6900f6a7db6bf50b41da794fcd8d7f7382bd13f23bc78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3580c018e0f2b83aca76cd03b3f111b1e48dbf742347dc62b905123255078800
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9231E461B2DE4F4BFBE9DB6890A567573C2EF94340B5545B9E019C31E7DE28ED028280
                                                                                                                                                                                                                                          Function 00007FFD9B578A50 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c9b465b5d44ec872b349a1246663300d367f5f862604eb9b318e96e75ef7b61
                                                                                                                                                                                                                                          • Instruction ID: 3dd3fe3c9da0af31d78716558cf81621470ceded980ac2744218532a3ec30d4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c9b465b5d44ec872b349a1246663300d367f5f862604eb9b318e96e75ef7b61
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC31D330B1990B8FE7A5EA2984AC72662D3FFD8304F194179D51DC739ADE28ED418781
                                                                                                                                                                                                                                          Function 00007FFD9B370248 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55c56bc95f85ae5bfd7b43c997795847c86dd049ec32017313453084421361f4
                                                                                                                                                                                                                                          • Instruction ID: 75d5c1c8bb1fa8528e2169f9eb0a8e69b4c1e4adb227990af809e381b2a59d72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55c56bc95f85ae5bfd7b43c997795847c86dd049ec32017313453084421361f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1131E831B1DA498FE7A0E55C94D4676B7D1EFA8324F05057FE44CC36B1CA64EA81C386
                                                                                                                                                                                                                                          Function 00007FFD9B385B40 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 13371d7ece1520e517977388dbc81e04cde974d399aeb7fc4e9788d321dcb8da
                                                                                                                                                                                                                                          • Instruction ID: b96821e3c2905c43b6c8d6e12e315f338fc80eb5bef789405167c5422a6d0872
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13371d7ece1520e517977388dbc81e04cde974d399aeb7fc4e9788d321dcb8da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5531F62160EB890FD766E7B888685657BF1EF56200B0B41FFC089C71F3DE28680AC352
                                                                                                                                                                                                                                          Function 00007FFD9B577317 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 582ed0e68151c33d967c7fe7a05dd9fbcb3ad1dd4e77f14325d64090319698d4
                                                                                                                                                                                                                                          • Instruction ID: 754b7c34ecf34269d4a449800d5fddc982321e69d335e98c7c52ee1e59bb3bdc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 582ed0e68151c33d967c7fe7a05dd9fbcb3ad1dd4e77f14325d64090319698d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4031643570DA0D8FD7A9EF68D09166577A2FF84304F714678D00A8B2A7DA36F842C780
                                                                                                                                                                                                                                          Function 00007FFD9B577541 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e3e9293626b9b168707fca8a2be5bfd6711ccd7b03375a0ebb6c34bd852c737
                                                                                                                                                                                                                                          • Instruction ID: 4667445a3b4f601cf716d855b8f037c501b7ae6c26720201d191368be2d52e57
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e3e9293626b9b168707fca8a2be5bfd6711ccd7b03375a0ebb6c34bd852c737
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7310931B1DA0E4FEBA9EB58A0A167977D2FF94300F5102B9D00A871A7DD25FD428380
                                                                                                                                                                                                                                          Function 00007FFD9B578159 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f72b51df5d5dc5e4dda973b40a1e3702a84b49139715111da8a859807ae69e28
                                                                                                                                                                                                                                          • Instruction ID: 3062503080ced89e3ef770829ffa323970133b4f7f5d770fe6f050c0f2f94ba3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f72b51df5d5dc5e4dda973b40a1e3702a84b49139715111da8a859807ae69e28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6121FB62B1F7890FE3A2D76C5C696B13FE1EF9665070901EBD488CB2A7D9056C068351
                                                                                                                                                                                                                                          Function 00007FFD9B379A17 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f6dea61a9525c5de5b4035ea4505250cbe222c339a1a88745dedf7091ed465b
                                                                                                                                                                                                                                          • Instruction ID: 174e71ffec510575efde4b395db7c795a3051ffe71b85ca27231e74183b14458
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f6dea61a9525c5de5b4035ea4505250cbe222c339a1a88745dedf7091ed465b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2931693170E14A4FD725FB78C4908E677A0EF52314B6942FAD4588F1A7D928A882C780
                                                                                                                                                                                                                                          Function 00007FFD9B57481D Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f4f184dbcf3795ce9eaaa1739e3c8c8bd979e63e7b9c3e854808eb07aa066da6
                                                                                                                                                                                                                                          • Instruction ID: b4247c63f2bea5fc13a22830b6049180cfc5c0d45e2b4871ca6eab8e38421050
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4f184dbcf3795ce9eaaa1739e3c8c8bd979e63e7b9c3e854808eb07aa066da6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4831E030A1EE894FDBE6E739D0A49A67BE0FF15210B0905EDD08ACB5A7D924FC41C740
                                                                                                                                                                                                                                          Function 00007FFD9B3798C8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 379794e62dc8abad7afb832d72f9a93400244b05a1eca20a3e8c47a5e22325e2
                                                                                                                                                                                                                                          • Instruction ID: 6336205de7e63f809fe9780cc4472c661e45c3efe924973dd538df93802e373b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 379794e62dc8abad7afb832d72f9a93400244b05a1eca20a3e8c47a5e22325e2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A31CF3150E7C64FD757DB6898A56807FF0EF07214B1A05EBC489CB0B7E6689C0AC751
                                                                                                                                                                                                                                          Function 00007FFD9B372969 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9e6f3ca684df0c87b77a8714298295f658488d54f2fea9a32a768b3df393cb0
                                                                                                                                                                                                                                          • Instruction ID: 0abcf2f17c0690f7c711aa5f0bc46edc2ce89816ad73a768b463a38666fc871d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9e6f3ca684df0c87b77a8714298295f658488d54f2fea9a32a768b3df393cb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26219C22A4F7D90FD7679778A8655A03FA1DF8322031E41EBD084CB0E3D91E99878356
                                                                                                                                                                                                                                          Function 00007FFD9B37F160 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1728e8d8f22cf64d968a2fd2a5f7a99bffbc36fe54b5c58bbb2774699770ab74
                                                                                                                                                                                                                                          • Instruction ID: 8e304a442aba01845b54a9bbd0a41134740c8e839b5aa56cfa2feecf16ccc456
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1728e8d8f22cf64d968a2fd2a5f7a99bffbc36fe54b5c58bbb2774699770ab74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9611A23172DE180BE768EA1CA85A575B3C1EB9C765B0501BFF40DC32A6DD566C4183C5
                                                                                                                                                                                                                                          Function 00007FFD9B4E088D Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2408404986.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6e7b0ee3c388b9a5aa5bb44ce0f3a4a09d8ad6d8cfa599e2be0371a94390bc20
                                                                                                                                                                                                                                          • Instruction ID: 20c2452e85e43c263687f5312c9fcc18c588de101e63fd51725c8bb03e8daee5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e7b0ee3c388b9a5aa5bb44ce0f3a4a09d8ad6d8cfa599e2be0371a94390bc20
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6321F47190E7CD8FDB52CF6488655A97FB0FF16204B4941EFC498CB2A3DA346506E742
                                                                                                                                                                                                                                          Function 00007FFD9B3731E8 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3108f10d33b6909352a5c104ca2772f7faa28f2b24250073fe88a65bdeb52f09
                                                                                                                                                                                                                                          • Instruction ID: f7e8be508c0e5d527b98097b9fe12314fce649796cedcafd9769d6edc48673a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3108f10d33b6909352a5c104ca2772f7faa28f2b24250073fe88a65bdeb52f09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59210A3160E7494FD355FB3CA4A56E57BE0DF95224F0801BBD489CB2A3DA2495468741
                                                                                                                                                                                                                                          Function 00007FFD9B5833D8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4d602f705c0c6feaf15c5486dd3b8b87fc26643f17744dff6e79b69dc9f7bc0c
                                                                                                                                                                                                                                          • Instruction ID: 819560ac750880ea9dfbacb708d2010487ef51024459dd1d6e9dad6704a63a32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d602f705c0c6feaf15c5486dd3b8b87fc26643f17744dff6e79b69dc9f7bc0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8221D831E0EA9C0FDBA2EAA848A91EC7BF0EF59611F4501BBE40CD31B3DD285C458351
                                                                                                                                                                                                                                          Function 00007FFD9B5776A3 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fbbb7f51f0ae89d8c037c91b70bfc90143004d0d15f4dd586673557d5c295edc
                                                                                                                                                                                                                                          • Instruction ID: 7349e812ced0d9c1c28c87858a3e0fb44079513f4511bd98a1cf2454e268d70b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbbb7f51f0ae89d8c037c91b70bfc90143004d0d15f4dd586673557d5c295edc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5921A131B1DA0E8BEBA9EA5CB4A16B973D1EB54350F5102B9D00EC31B7DE25B9428780
                                                                                                                                                                                                                                          Function 00007FFD9B584021 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0e9e296e72dec84494bd64dc74804230605f866961ef1c97f59da744882be86e
                                                                                                                                                                                                                                          • Instruction ID: 100428b867058b2ea27dbca8987013a8150d47153940ff1af4125a6fb4cfe107
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e9e296e72dec84494bd64dc74804230605f866961ef1c97f59da744882be86e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC21813170EE4C8FD796D66C98A8A657BD1FF9D31471A01EBE08DCB2A2D921AC41C741
                                                                                                                                                                                                                                          Function 00007FFD9B36EAE0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8e13a60231e2b38129aa22eb12843d519328c6ec69ebe6145706d0f62e8e1c0d
                                                                                                                                                                                                                                          • Instruction ID: 2363cf8c9a7241d89a0aa499d5b5cb6004ef63a0f444e051456533ad95136805
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e13a60231e2b38129aa22eb12843d519328c6ec69ebe6145706d0f62e8e1c0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821D871E1EA9D8EEBA9EB68C4652E977B1FF54304F0001BED40DD31A2DE346A85CB41
                                                                                                                                                                                                                                          Function 00007FFD9B374088 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 66674fe9eae98e3cc51bec1a1c7294ec63fbd5aaa651d13313abc1e9ecba2be9
                                                                                                                                                                                                                                          • Instruction ID: 5f7bdf31bde9ff49d4b2abeb4b525bff3fda6adb717e58b1a05539e08a5eb81c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66674fe9eae98e3cc51bec1a1c7294ec63fbd5aaa651d13313abc1e9ecba2be9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD110507B1F9A90EE320F6EDA8E64F85B80EF8022530801BFD48CC70A7EC4879568290
                                                                                                                                                                                                                                          Function 00007FFD9B363AA5 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c93ff132a74608f19e5a7907e4ba8c7e4b2f09f8256a0d389132128c9342c05b
                                                                                                                                                                                                                                          • Instruction ID: b3880214cdc09987491bfd32c2731ee203bbc0fb143ed24e4e47019b4593e66a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c93ff132a74608f19e5a7907e4ba8c7e4b2f09f8256a0d389132128c9342c05b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA218D71E15A0DDFDB40EF68C4566ADBBB2FF59300F10007AD108EB292CA39A944CB80
                                                                                                                                                                                                                                          Function 00007FFD9B36425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction ID: b28006200cb5cdbe72b102d4fd969be32fb98a0b791997d92b5696dd11a6b17e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F216F31C8E3C99FD32297A068226E57F749F03255F1B01EBD088DB4A3C55D569AC762
                                                                                                                                                                                                                                          Function 00007FFD9B3689A5 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f73e5d2db6907f43e61550aca9472743adefc7477ee5463960cfa1d773e9768d
                                                                                                                                                                                                                                          • Instruction ID: 3de38b02d48c8c08d910959109547b4b30a117a96710cbc98c20fb582977c8c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f73e5d2db6907f43e61550aca9472743adefc7477ee5463960cfa1d773e9768d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38219030E0A60E8FEB74EA54D0526A8B7B1EB4A318F15077ED44CE72A1DB75AA85C740
                                                                                                                                                                                                                                          Function 00007FFD9B3760D1 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 951006a28c9e18c33324b112f5b21a99e9598f18726ee704d96b890bc2245055
                                                                                                                                                                                                                                          • Instruction ID: e8f8c0090e55cf369ba9a5aad4caeca7005f3c3e8c741f0c7959479991dfc72c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 951006a28c9e18c33324b112f5b21a99e9598f18726ee704d96b890bc2245055
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011C132B1FA894FE7E5D5A92CFA1653AC2EF9960070A80FFE448C32B7EC119D018241
                                                                                                                                                                                                                                          Function 00007FFD9B574BE5 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bc1ce1e27d983476a4a34d4e4cb045eeb23ca93b3b5c47d4523bfe1a0e6405c4
                                                                                                                                                                                                                                          • Instruction ID: 3bcde68a73bb06811a40914db0afb000595feb29ce7a9b24a41a3988321f57d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc1ce1e27d983476a4a34d4e4cb045eeb23ca93b3b5c47d4523bfe1a0e6405c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E021D53070E9498FD6A6EB6C84A963937E5FF98200B4600BED08EC72B3DE19AD41C741
                                                                                                                                                                                                                                          Function 00007FFD9B5702A0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5740e7ade42ef69801e528863d876e9198b73518c0da8821f82b8ae1494857ce
                                                                                                                                                                                                                                          • Instruction ID: ee6b2069fdb5bcda72abde8bdc62d633d963df80882ced5a4151e3770b618107
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5740e7ade42ef69801e528863d876e9198b73518c0da8821f82b8ae1494857ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35119331B1C9094FD658EB4CA46597473D2FF9871071001AEE48EC32A6DE20AC418785
                                                                                                                                                                                                                                          Function 00007FFD9B3760F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3c4a6aa7e0e01fbade7c56236c4375d912c111fc8c9f6818d6783904bca5e7b9
                                                                                                                                                                                                                                          • Instruction ID: 02c9e275cda7451d53f9d48d02c1b042acbcd5dde5e34fb01d7a6b1da9200901
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c4a6aa7e0e01fbade7c56236c4375d912c111fc8c9f6818d6783904bca5e7b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7411CE32B2FD4D0FE6E4A4AD3CF91653AC2DB9965170641FFE80CC32B6EC129C418281
                                                                                                                                                                                                                                          Function 00007FFD9B37E1A5 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ac30e163b161445aa9bee8a3142336adace64c86998f6c500a487b448691acf
                                                                                                                                                                                                                                          • Instruction ID: aa1531c96d14ff10cb3aaaa1b707221ad2ccd033d500fb7d1c3c37e69eeaba6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ac30e163b161445aa9bee8a3142336adace64c86998f6c500a487b448691acf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3211262070EA980FDBA4EA9C88E9A7537E1DF9A21070541BBD84CCB2A7DC14AC46C350
                                                                                                                                                                                                                                          Function 00007FFD9B377136 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ac2e0e5b3b37fc3242d47c31d1976a9da629fecf199c374e86a6e4a5d12cd77
                                                                                                                                                                                                                                          • Instruction ID: a95b275e9121f83e0a4a12a275d6becd867c5abbb2c9b081c27eb95ad47d6884
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ac2e0e5b3b37fc3242d47c31d1976a9da629fecf199c374e86a6e4a5d12cd77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C611AC7051DB889FE778EF28885DBA67BE0EFA9301F01457E948CC3262EE3068418742
                                                                                                                                                                                                                                          Function 00007FFD9B578F23 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bdac37cc101082959b8c1dc553db0b095ec339b3b7e5eace1c335d208ba47c1
                                                                                                                                                                                                                                          • Instruction ID: 54150d3110ccf55dd28724fcdc0ddb45106eadcb6d6c42abe99bbf87b5b39732
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bdac37cc101082959b8c1dc553db0b095ec339b3b7e5eace1c335d208ba47c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A110A22F0D80D4FEBE4EA5894A5AB47392FF98350F598076D00DD3396DE24AD428780
                                                                                                                                                                                                                                          Function 00007FFD9B57CE00 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b61077d01e710b778770f1289478be73751458c67834000e907d7908d2278a0c
                                                                                                                                                                                                                                          • Instruction ID: 32cc9e942880cac559eb0a6ea531d0d8de3edd75ebd7b6851fef3341bb785508
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b61077d01e710b778770f1289478be73751458c67834000e907d7908d2278a0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD219F30709A0D8FDBA9EF58C4D4B6673A2FF99314F1106A8D419CB69ACA35EC91C780
                                                                                                                                                                                                                                          Function 00007FFD9B37532A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2b54d57c598690830f346eecbe2b2f821e6c37a74f10919f0d108d37bea0ec40
                                                                                                                                                                                                                                          • Instruction ID: 0d92d90c945e7263c4a47e8e93dbd8987c3f9e81224d7e45a4293dcdf79a5a2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b54d57c598690830f346eecbe2b2f821e6c37a74f10919f0d108d37bea0ec40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F117C62B0EE0E4FFBBCE94C60A436563D1EBA82A0715457ED04EC75A5EE11AC0A8740
                                                                                                                                                                                                                                          Function 00007FFD9B574C00 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4abfd29b242e1c36795c56c4b17b46beffd0b70e078c9b8d7ef7ee87cbc9e467
                                                                                                                                                                                                                                          • Instruction ID: 59a42b730bb1806cc008ec3c78f8afa6aaf918f0d19c22f4e7c0b6da98b5aee8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4abfd29b242e1c36795c56c4b17b46beffd0b70e078c9b8d7ef7ee87cbc9e467
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8511913070A81D8FD6F5EBAC85A9A3A36D5FF98300B56007ED04EC32A2DE15AD40C741
                                                                                                                                                                                                                                          Function 00007FFD9B584995 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d504b905524cdad85f97eac6816740def3579961c8bde0791e2c2fb9fbf0b5c
                                                                                                                                                                                                                                          • Instruction ID: 317e245e5a2972cc15e8a1e83cd52b844a0b4d8fc0b0ac3339e853ea4329493e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d504b905524cdad85f97eac6816740def3579961c8bde0791e2c2fb9fbf0b5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8001283060DE1D8FDBA4E65EC4A5D7437D0EF1831130605EAD48ACB2B2D518EC818B91
                                                                                                                                                                                                                                          Function 00007FFD9B36D965 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b6e1605bb2a830aa7910d4ee44e82a535c1a7881ea903c6ce99df91352687b6c
                                                                                                                                                                                                                                          • Instruction ID: aeb91a34f96f7589156f00a6ffb8dee9d157601cca3eb11b29b8620e660246f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6e1605bb2a830aa7910d4ee44e82a535c1a7881ea903c6ce99df91352687b6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB115E71A0F7C48FD7069B7888659507FF0AF6720570A45EFD089CF1B3C5299946C722
                                                                                                                                                                                                                                          Function 00007FFD9B378413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 92e77615a68e002a2b6607daffdd506ed66a1f2039396bf36e0d1e13d4d0dbf0
                                                                                                                                                                                                                                          • Instruction ID: 12a96d74698ac77d7fcf71287c5b1aa9cf4af0c61a4fc32c798929dbc267d889
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92e77615a68e002a2b6607daffdd506ed66a1f2039396bf36e0d1e13d4d0dbf0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A301A43274DC0C4FE7E8EA1DA4A5A7033D2EBAD32035506FBD44DC7666E912EC428740
                                                                                                                                                                                                                                          Function 00007FFD9B3652FD Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2145cb75cf63c2e13cadd143a3cb2555e9408075ab0ef0f30b56cddafd66a4d7
                                                                                                                                                                                                                                          • Instruction ID: e451c9e3fd7e9cbb7bbb8e3a98aec4cf697e40078b8799e2a2b74519c20d23c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2145cb75cf63c2e13cadd143a3cb2555e9408075ab0ef0f30b56cddafd66a4d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F07D3184F28E9FD322BB7058671E53FA0EF07714F0600BAE048874A3D95D175AC341
                                                                                                                                                                                                                                          Function 00007FFD9B3779B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f685fc58491cba3181a2087610be2e07599c8e02206c5842d581744c6513fe58
                                                                                                                                                                                                                                          • Instruction ID: d8f679934a0d6c7e6dd927a5fb921b88d4286c5dcada4148c0c4dc99688718af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f685fc58491cba3181a2087610be2e07599c8e02206c5842d581744c6513fe58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41F0BB22B1D58C0FE794A56CAC5D9723BD4DB6713531601FFE448C7173E90298028355
                                                                                                                                                                                                                                          Function 00007FFD9B368A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction ID: 09615d95c376fbc88cfce3a3a158e9172814afef53dc72a95dd5d3b936754706
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECF0CD35E4960E8BDB20EE94E0012F9F7B4EB86314F01223AC50CE3150D77ADA96CB48
                                                                                                                                                                                                                                          Function 00007FFD9B364228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction ID: dc3c82779c0bef1ce57b675b8cd19694ae3639a8ccbabc3d2cae58dab450c937
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23F0CD35E4950D8FEB20EE95A4413F8F7B4EB82354F11203EC00CA3150D77ADA95CB48
                                                                                                                                                                                                                                          Function 00007FFD9B37D17D Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 411b30c67441c031c8537719c3e314f0b102b45e1d23fe8015528301d49f4e22
                                                                                                                                                                                                                                          • Instruction ID: 6fe7b166f88fcf3bd0ceb5d2ad15bd1161507b7da79793e9604072f17e8990f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 411b30c67441c031c8537719c3e314f0b102b45e1d23fe8015528301d49f4e22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9018645A6FBCA1ED7A3B3B818B45612FA5DF4712470E02EBD0C8CB0A7D80C5A56C396
                                                                                                                                                                                                                                          Function 00007FFD9B373240 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 316cb654833f870fd51c371b66090c4bf299d84941ead36c33fd68633d02bfee
                                                                                                                                                                                                                                          • Instruction ID: f3df29cdd1a48cbaddd4d664003d9e3f3268823f28ed08960de87a90aa72ee76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 316cb654833f870fd51c371b66090c4bf299d84941ead36c33fd68633d02bfee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71019230608B088FD7A4EB288058A6A7BD1EFD4314F04057EE48DD7360DE34A941C781
                                                                                                                                                                                                                                          Function 00007FFD9B37E8DD Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1c70709a9a6347bc680a8ee8ca397a1bf1d828e1411b5f575f127eaa3abfcdd7
                                                                                                                                                                                                                                          • Instruction ID: c3c09e537e77bae74e3035e875bcd3025a931755b90f5e21d245db3b117ead59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c70709a9a6347bc680a8ee8ca397a1bf1d828e1411b5f575f127eaa3abfcdd7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84F02831A0A68D5FE750EB6898A85A87FF0FF86200F0542FAD448C7163DE3826568740
                                                                                                                                                                                                                                          Function 00007FFD9B364B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ff74d87587870cb0a42d7ac5e161f7166214e2b0dba0c9e916ce45127108c153
                                                                                                                                                                                                                                          • Instruction ID: 602f495f669594ca6e5db61dc2c9c06934588802ef9d12c6d368809d0f2d69e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff74d87587870cb0a42d7ac5e161f7166214e2b0dba0c9e916ce45127108c153
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A701D671D0E68D9FE751EB68C8B62E87FB0EF06210F4606FAD489C71A3DD281A49C701
                                                                                                                                                                                                                                          Function 00007FFD9B57040B Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f07f90c2d3e8c86c67272a2b7111366843d71e1c11bf5d67bb4d83ae1d4e89ea
                                                                                                                                                                                                                                          • Instruction ID: 0995447ad420fc58a7a49f30c751861b79c9160421460c5bc011424db6ae4583
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f07f90c2d3e8c86c67272a2b7111366843d71e1c11bf5d67bb4d83ae1d4e89ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0373171DD1D0FE9A9A64C78625B873C2EB49A6075505BAD04AC3156ED05BD424285
                                                                                                                                                                                                                                          Function 00007FFD9B37FC2E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d3d370a95d0baba5068ae7accdbccd33e9d3c365f91ee2813c8f24c157020fb4
                                                                                                                                                                                                                                          • Instruction ID: 4b67aa351c10a5dd578a3a4367beec8d25d9042af224d1155e2f5b9dde2764da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3d370a95d0baba5068ae7accdbccd33e9d3c365f91ee2813c8f24c157020fb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95F02733B0D99D4BDB68C89C20DD1F977C1E7AD13171402BFD08AC3255CD124C068380
                                                                                                                                                                                                                                          Function 00007FFD9B364B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: afec3f24791b501a6c8bb4da28bfacd429490648eff526fcb60421d9022ce50a
                                                                                                                                                                                                                                          • Instruction ID: f1ca9893f13c49c052928d57030763bcc2eefab5a29c794f1daf2cbcd98802cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afec3f24791b501a6c8bb4da28bfacd429490648eff526fcb60421d9022ce50a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A601D63090A68DCFDB54EF14C8622E97BA1FF55300F02057DE40CC7192CA75E950C740
                                                                                                                                                                                                                                          Function 00007FFD9B57430C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                          • Instruction ID: c92991bd8ed6230fdfa5ac70f57a9d188ca2c881e4d395fadc447f97d7ce98af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9E0653170D80E8FE6E1E60CE4A4B79B3E2FF98321B2201BAD00DC7262DE25AC418740
                                                                                                                                                                                                                                          Function 00007FFD9B36BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d867f43682535e04cfb1cf59322f62b28d205c4f83b374e4de8540ee5dca5b2c
                                                                                                                                                                                                                                          • Instruction ID: 93f5e09d0e1dd54db5eff74f949628963e20d74469009cd7535c655368dd76e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d867f43682535e04cfb1cf59322f62b28d205c4f83b374e4de8540ee5dca5b2c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF05B75E2590D9FDB94F798C896EEC73E1FF98B40F410074D448D3292ED296841C710
                                                                                                                                                                                                                                          Function 00007FFD9B5709B1 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2411200323.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 126e375f169ab50280db89bb21394380041df68d2d9e847a4110a22623dd7679
                                                                                                                                                                                                                                          • Instruction ID: ecb6fb0735bbed098c5b088f56d0f147852db19671d789a84fcbb26da3fa100d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 126e375f169ab50280db89bb21394380041df68d2d9e847a4110a22623dd7679
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93E07D41A0F1D81FFA5203A4AC718E13BD4CF4245074E41F6E088870A3C84C39024710
                                                                                                                                                                                                                                          Function 00007FFD9B368075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ce807eee7dcd9cc968b0e37a8c73017e062f965706becd9fdf58f79757d34da
                                                                                                                                                                                                                                          • Instruction ID: 35a387f5f0867def7f28798855fd917b96279cf098e4e95864cce577f4dc32fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ce807eee7dcd9cc968b0e37a8c73017e062f965706becd9fdf58f79757d34da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6E0E531E0451C8ECB64EB68D851BECB7B1FF54205F4000BAE01CE3286CA3569818B40
                                                                                                                                                                                                                                          Function 00007FFD9B36AAE0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2403022451.00007FFD9B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b360000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction ID: ca7aac258c9a1d3dccf0c645328d66c5e5a0338cf35ac525ebefa9ec67628d03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3C08C20936A0D8ED728F728484201476A0FF08200FC001F8E00CC2284D6AD91904706